diff options
Diffstat (limited to 'config')
70 files changed, 3424 insertions, 544 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 69ffb9c7..93de58af 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -176,7 +176,7 @@ LoadModule status_module libexec/apache22/mod_status.so LoadModule autoindex_module libexec/apache22/mod_autoindex.so LoadModule asis_module libexec/apache22/mod_asis.so LoadModule info_module libexec/apache22/mod_info.so -LoadModule cgi_module libexec/apache22/mod_cgi.so +#LoadModule cgi_module libexec/apache22/mod_cgi.so LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so LoadModule negotiation_module libexec/apache22/mod_negotiation.so LoadModule dir_module libexec/apache22/mod_dir.so diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml index b3acba57..3c8de686 100755 --- a/config/apache_mod_security-dev/apache_balancer.xml +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -139,6 +139,9 @@ <option> <name>HTTP</name> <value>http</value> </option> <option> <name>HTTPS</name> <value>https</value> </option> </options> + </field> <field> + <name><![CDATA[Internal Server(s)]]></name> + <type>listtopic</type> </field> <field> <fielddescr> @@ -146,48 +149,51 @@ </fielddescr> <fieldname>additionalparameters</fieldname> <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> <rowhelper> <rowhelperfield> <fielddescr>fqdn or ip</fielddescr> <fieldname>host</fieldname> <description>Internal site IP or Hostnamesite</description> <type>input</type> - <size>20</size> + <size>27</size> </rowhelperfield> <rowhelperfield> <fielddescr>port</fielddescr> <fieldname>port</fieldname> <description>Internal site port</description> <type>input</type> - <size>4</size> + <size>5</size> </rowhelperfield> <rowhelperfield> <fielddescr>routeid</fielddescr> <fieldname>routeid</fieldname> <description>id to define stick connections</description> <type>input</type> - <size>4</size> + <size>6</size> </rowhelperfield> <rowhelperfield> <fielddescr>weight</fielddescr> <fieldname>loadfactor</fieldname> <description>Server weight</description> <type>input</type> - <size>4</size> + <size>6</size> </rowhelperfield> <rowhelperfield> <fielddescr>ping</fielddescr> <fieldname>ping</fieldname> <description>Server ping test interval</description> <type>input</type> - <size>4</size> + <size>6</size> </rowhelperfield> <rowhelperfield> <fielddescr>ttl</fielddescr> <fieldname>ttl</fieldname> <description>Server pint ttl</description> <type>input</type> - <size>4</size> + <size>6</size> </rowhelperfield> </rowhelper> </field> diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index fb83f9a6..76208c70 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -27,7 +27,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "apache"; // Check to find out on which system the package is running $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) @@ -35,7 +35,7 @@ if ($pf_version > 2.0) else define('APACHEDIR', '/usr/local'); // End of system check -define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +define ('MODSECURITY_DIR','crs'); // Rules directory location define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ @@ -57,10 +57,6 @@ function apache_get_real_interface_address($iface) { // Ensure NanoBSD can write. pkg_mgr will remount RO conf_mount_rw(); -// Needed mod_security directories -if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) - safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); - // Startup function function apache_mod_security_start() { exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); @@ -127,20 +123,23 @@ function apache_mod_security_resync() { global $config, $g; apache_mod_security_install(); $dirs=array("base", "experimental","optional", "slr"); - if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) - exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")){ + exec ("/usr/local/bin/git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git ".APACHEDIR."/".MODSECURITY_DIR); + //chdir (APACHEDIR."/".MODSECURITY_DIR); + //exec ("/usr/local/bin/git checkout -q 2.2.8"); + } $write_config=0; foreach ($dirs as $dir){ if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { - $write_config++; - $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); - while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) - $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); - } - closedir($handle); - } - } + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); + } + } if ($write_config > 0) write_config(); apache_mod_security_checkconfig(); @@ -230,7 +229,8 @@ function generate_apache_configuration() { //performance settings //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html - $performance_settings="KeepAlive {$settings['keepalive']}\n"; + $keepalive=($settings['keepalive']?$settings['keepalive']:"on"); + $performance_settings="KeepAlive {$keepalive}\n"; if ($settings['maxkeepalivereq']) $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; if ($settings['keepalivetimeout']) @@ -313,6 +313,8 @@ function generate_apache_configuration() { } //configure virtual hosts + $namevirtualhosts=array(); + $namevirtualhosts[0]=$global_listen; if (is_array($config['installedpackages']['apachevirtualhost'])){ $vh_config= <<<EOF ################################################################################## @@ -332,6 +334,9 @@ EOF; $iface_address = apache_get_real_interface_address($virtualhost['interface']); $ip=$iface_address[0]; $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + if (!in_array("{$ip}:{$port}",$namevirtualhosts)) + $namevirtualhosts[]="{$ip}:{$port}"; + $vh_config.="# {$virtualhost['description']}\n"; $vh_config.="<VirtualHost {$ip}:{$port}>\n"; $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; @@ -487,31 +492,22 @@ EOF; // clear list of bound addresses before updating $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); - // Process proxy sites // Configure NameVirtualHost directives $aliases = ""; - $processed = array(); - if(is_array($config['installedpackages']['apachemodsecurity'])) { - foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { - if($ams['ipaddress'] && $ams['port']) - $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else - $local_ip_port = $global_listen; - // Do not add entries twice. - if(!in_array($local_ip_port, $processed)) { - // explicit bind if not global ip:port - if ($local_ip_port != $global_listen) { - $aliases .= "Listen $local_ip_port\n"; - // Automatically add this to configuration - $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); - } - $mod_proxy .= "NameVirtualHost $local_ip_port\n"; - $processed[] = $local_ip_port; + //add NameVirtualHost and listening entries to configured virtualhosts + foreach ($namevirtualhosts as $namevirtualhost){ + // explicit bind if not global ip:port + if ($namevirtualhost != $global_listen) { + $mod_proxy .= "NameVirtualHost {$namevirtualhost}\n"; + $aliases .= "Listen $namevirtualhost\n"; + // Automatically add this to configuration + $aplisten=split(":",$namevirtualhost); + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $aplisten[0], 'ipport' => $aplisten[1]); } } - } + //** Uncomment to allow adding ip/ports not used by any site proxies //** Otherwise unused addresses/ports will be automatically deleted from the configuration // foreach ($configuredaliases as $ams) { diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml index 2e29a9af..7a3737cd 100644 --- a/config/apache_mod_security-dev/apache_virtualhost.xml +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -113,6 +113,11 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/pkg_apache.inc</item> + </additional_files_needed> <tabs> <tab> <text>Apache</text> @@ -150,9 +155,12 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Status</fielddescr> <fieldname>enable</fieldname> + <listmodeon>Enabled</listmodeon> + <listmodeoff>Disabled</listmodeoff> </columnitem> <columnitem> <fielddescr>Iface</fielddescr> @@ -267,11 +275,18 @@ <show_disable_value>none</show_disable_value> </field> <field> + <name><![CDATA[Location(s)]]></name> + <type>listtopic</type> + </field> + <field> <fielddescr> <![CDATA[Location(s)]]> </fielddescr> <fieldname>locations</fieldname> <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> <rowhelper> <rowhelperfield> <fielddescr><![CDATA[gzip?]]></fielddescr> @@ -288,7 +303,7 @@ <fieldname>sitepath</fieldname> <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> <type>input</type> - <size>5</size> + <size>13</size> </rowhelperfield> <rowhelperfield> <fielddescr><![CDATA[Balancer]]></fielddescr> @@ -317,7 +332,7 @@ <fieldname>backendpath</fieldname> <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> <type>input</type> - <size>5</size> + <size>13</size> </rowhelperfield> <rowhelperfield> <fielddescr><![CDATA[ModSecurity]]></fielddescr> @@ -344,7 +359,7 @@ <fieldname>options</fieldname> <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> <type>input</type> - <size>5</size> + <size>12</size> </rowhelperfield> </rowhelper> </field> @@ -388,11 +403,10 @@ <rows>10</rows> <encoding>base64</encoding> </field> - </fields> <service> <name>apache_mod_security</name> - <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <rcfile>apache_mod_security.sh</rcfile> <executable>httpd</executable> </service> <custom_php_resync_config_command> diff --git a/config/apache_mod_security-dev/pkg_apache.inc b/config/apache_mod_security-dev/pkg_apache.inc new file mode 100755 index 00000000..97fb2417 --- /dev/null +++ b/config/apache_mod_security-dev/pkg_apache.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['apache'] = array(); +$shortcuts['apache']['main'] = "pkg_edit.php?xml=apache_virtualhost.xml"; +$shortcuts['apache']['log'] = "diag_logs.php"; +$shortcuts['apache']['status'] = "status_services.php"; +$shortcuts['apache']['service'] = "apache_mod_security"; + +?> diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index b2162803..c42ebddf 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -219,7 +219,7 @@ </fields> <service> <name>apache_mod_security</name> - <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <rcfile>apache_mod_security.sh</rcfile> <executable>httpd</executable> <description>HTTP Daemon with mod_security</description> </service> diff --git a/config/arpwatch.xml b/config/arpwatch.xml index c9434075..bf163ad6 100644 --- a/config/arpwatch.xml +++ b/config/arpwatch.xml @@ -2,65 +2,64 @@ <!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ + <copyright> + <![CDATA[ +/* ========================================================================== /* - arpwatch.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. + arpwatch.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>ARP Monitoring Daemon</description> + <requirements>None</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>arpwatch</name> - <version>2.1.a13</version> + <version>2.1.a14 pkg v1.1.1</version> <title>arpwatch: Settings</title> <aftersaveredirect>pkg_edit.php?xml=arpwatch.xml&id=0</aftersaveredirect> <menu> - <name>arpwatch</name> - <tooltiptext>Modify arpwatch settings.</tooltiptext> - <section>Services</section> - <configfile>arpwatch.xml</configfile> - <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> - </menu> + <name>arpwatch</name> + <tooltiptext>Modify arpwatch settings.</tooltiptext> + <section>Services</section> + <configfile>arpwatch.xml</configfile> + <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> + </menu> <service> - <name>arpwatch</name> - <rcfile>arpwatch.sh</rcfile> - <executable>arpwatch</executable> - </service> + <name>arpwatch</name> + <rcfile>arpwatch.sh</rcfile> + <executable>arpwatch</executable> + </service> <tabs> <tab> <text>Settings</text> @@ -74,10 +73,15 @@ </tabs> <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>a+rx</chmod> - <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> - </additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/sbin/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/sm.php</item> + </additional_files_needed> <fields> <field> <fielddescr>Listening Interface</fielddescr> @@ -85,21 +89,37 @@ <description>Choose the desired listening interface here.</description> <type>interfaces_selection</type> </field> + <field> + <fielddescr>Enable E-mail Notifications</fielddescr> + <fieldname>enable_email</fieldname> + <type>checkbox</type> + <description>Sends an E-mail notification for each new station and ARP change as they are seen <strong>instead of</strong> local reports.<br/>NOTE: Only works on pfSense 2.1 or later. <br/>NOTE 2: Disables local reports which rely on arpwatch debug mode, which does not work with e-mail notifications.<br/>Configure SMTP and address settings in System > Advanced on the Notifications tab</description> + </field> </fields> <custom_php_global_functions> + <![CDATA[ function sync_package_arpwatch() { global $config; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); conf_mount_rw(); config_lock(); $log_file = "/var/log/arp.dat"; if($_POST['interface'] != "") { - $int = $_POST['interface']; + $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; } + $mail = ""; + $debug = ""; + if(($pf_version > 2.0) && (isset($_POST['enable_email']) || ($config['installedpackages']['arpwatch']['config'][0]['enable_email'] == "on"))) { + if (!empty($config['notifications']['smtp']['notifyemailaddress'])) + $mail = " -m {$config['notifications']['smtp']['notifyemailaddress']}"; + } else { + $debug = "-d"; + } $int = convert_friendly_interface_to_real_interface_name($int); $start = "touch {$log_file}\n"; - $start .= "/usr/local/sbin/arpwatch -d -f {$log_file} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; + $start .= "/usr/local/sbin/arpwatch {$debug} -f {$log_file} {$mail} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; $stop = "/usr/bin/killall arpwatch"; write_rcfile(array( "file" => "arpwatch.sh", @@ -111,11 +131,17 @@ conf_mount_ro(); config_unlock(); } + ]]> </custom_php_global_functions> <custom_add_php_command> + <![CDATA[ sync_package_arpwatch(); + ]]> </custom_add_php_command> <custom_php_install_command> + <![CDATA[ unlink_if_exists("/usr/local/etc/rc.d/arpwatch.sh"); - </custom_php_install_command> -</packagegui>
\ No newline at end of file + @link("/usr/sbin/sm.php", "/usr/sbin/sendmail"); + ]]> + </custom_php_install_command> +</packagegui> diff --git a/config/asterisk/asterisk.inc b/config/asterisk/asterisk.inc index 642a73c2..07d3d923 100644 --- a/config/asterisk/asterisk.inc +++ b/config/asterisk/asterisk.inc @@ -58,26 +58,25 @@ function sync_package_asterisk() { #mount filesystem writeable conf_mount_rw(); - //for NanoBSD compatibility, move the /etc/asterisk configuration directory to /conf, and symlink it back - if (!file_exists("/conf/asterisk/") && file_exists(ASTERISK_LOCALBASE."/etc/asterisk/")){ - rename(ASTERISK_LOCALBASE. "/etc/asterisk", ASTERISK_CONF_DIR); - symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); - } - - //check or move -dist files on dist dir $dist_dir=ASTERISK_CONF_DIR ."/dist"; if (!is_dir($dist_dir)) mkdir($dist_dir,0755,TRUE); - $dist_files= scandir(ASTERISK_CONF_DIR); - foreach ($dist_files as $dist){ - if (preg_match("/-dist/",$dist)) - rename (ASTERISK_CONF_DIR."/$dist", ASTERISK_CONF_DIR."/dist/$dist"); - } + if(file_exists (ASTERISK_LOCALBASE."/etc/asterisk") && !is_link(ASTERISK_LOCALBASE."/etc/asterisk")){ + $dist_files= scandir(ASTERISK_LOCALBASE."/etc/asterisk"); + foreach ($dist_files as $dist){ + if (preg_match("/-dist/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", "$dist_dir/$dist"); + elseif (preg_match("/\w+/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", ASTERISK_CONF_DIR."/$dist"); + } + rmdir(ASTERISK_LOCALBASE. "/etc/asterisk"); + symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); + } //fix asterisk options for nanobsd: logging, db and calls log in /tmp -// if ($g['platform'] == "nanobsd"){ + // if ($g['platform'] == "nanobsd"){ $script='/conf/asterisk/logger.conf'; if (file_exists($script)){ $script_file=file_get_contents($script); @@ -91,17 +90,17 @@ function sync_package_asterisk() { if (file_exists($script)){ //point to the /var subdirs in the writable area in RAM $script_file=file_get_contents($script); - $pattern[0]='@[directories](!)@'; - $replace[0]='[directories]'; - $pattern[1]='@astetcdir => \S+@'; + $pattern[0]='/(\Wdirectories\W)\S+/'; + $replace[0]='$1'; + $pattern[1]='/astetcdir => \S+/'; $replace[1]='astetcdir => /conf/asterisk'; - $pattern[2]='@astdbdir => \S+@'; + $pattern[2]='/astdbdir => \S+/'; $replace[2]='astdbdir => /var/db/asterisk'; - $pattern[3]='@astspooldir => \S+@'; + $pattern[3]='/astspooldir => \S+/'; $replace[3]='astspooldir => /var/spool/asterisk'; - $pattern[4]='@astrundir => \S+@'; + $pattern[4]='/astrundir => \S+/'; $replace[4]='astrundir => /var/run/asterisk'; - $pattern[5]='@astlogdir => \S+@'; + $pattern[5]='/astlogdir => \S+/'; $replace[5]='astlogdir => /var/log/asterisk'; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); @@ -339,14 +338,14 @@ EOF; $script_file=file_get_contents($script); //strenghten a couple of security settings, and predefine codecs in the default SIP configuration if (strpos($script_file,'pfSense') === false) { //first check if already added... - $pattern[0]=';allowguest'; + $pattern[0]='/;allowguest\S+/'; $replace[0]='allowguest=no ;by pfSense ;'; - $pattern[1]=';alwaysauthreject'; + $pattern[1]='/;alwaysauthreject/'; $replace[1]='alwaysauthreject=yes ;by pfSense ;'; - $pattern[2]='; jbenable'; + $pattern[2]='/; jbenable/'; $replace[2]='jbenable=yes ;by pfSense ;'; - $pattern[3]='[general]'; - $replace[3]='[general]\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=ulaw\nallow=alaw\n\n'; + $pattern[3]='/(First disallow all codecs)/'; + $replace[3]="$1\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=gsm\nallow=ulaw\nallow=alaw\n\n"; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); } diff --git a/config/bind/bind.inc b/config/bind/bind.inc new file mode 100644 index 00000000..146632c9 --- /dev/null +++ b/config/bind/bind.inc @@ -0,0 +1,883 @@ +<?PHP +/* $Id$ */ +/* + bind.inc + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ +$shortcut_section = "bind"; +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('service-utils.inc'); +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('BIND_LOCALBASE', '/usr/pbi/bind-' . php_uname("m")); +else + define('BIND_LOCALBASE','/usr/local'); + +define('CHROOT_LOCALBASE','/cf/named'); + +function bind_zone_validate($post, $input_errors){ + if (key_exists("mail",$_POST)) + $_POST['mail']=preg_replace("/@/",".",$post['mail']); + + switch ($_POST['type']){ + case 'slave': + if( $_POST['slaveip'] == "") + $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.'; + break; + case 'forward': + if( $_POST['forwarders'] == "") + $input_errors[] = 'The field \'Forwarders\' is required for forward zones.'; + break; + case 'redirect': + $_POST['tll']=300; + $_POST['refresh']=0; + $_POST['serial']=0; + $_POST['retry']=0; + $_POST['expire']=0; + $_POST['minimum']=0; + if($_POST['mail']=='') + $input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones."; + + default: + if($_POST['nameserver']=='') + $input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones."; + for ($i=0;$i < count($_POST);$i++){ + if (key_exists("hostname$i",$_POST)){ + if ($_POST['reverso']=="on"){ + $_POST["hostvalue$i"]=""; + if (!preg_match("/(PTR|NS)/",$_POST["hosttype$i"])) + $input_errors[] = 'On reverse zones, valid record types are NS or PTR'; + } + if (preg_match("/(MX|NS)/",$_POST["hosttype$i"])) + $_POST["hostname$i"]=""; + if (!preg_match("/(MX|NS)/",$_POST["hosttype$i"]) && $_POST["hostname$i"]=="") + $input_errors[] = 'Record cannot be empty for '.$_POST["hosttype$i"].' type '; + if ($_POST["hosttype$i"]=="MX" && $_POST["hostvalue$i"]=="") + $_POST["hostvalue$i"]="10"; + if ($_POST["hosttype$i"]!="MX" && $_POST["hostvalue$i"]!="") + $_POST["hostvalue$i"]=""; + if ($_POST["hostdst$i"]=="") + $input_errors[] = 'Alias or IP address cannot be empty.'; + } + } + } +} + + function bind_sync(){ + + global $config; + conf_mount_rw(); + //create rndc + $rndc_confgen="/usr/local/sbin/rndc-confgen"; + if (!file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense") && file_exists($rndc_confgen)){ + exec("$rndc_confgen ",$rndc_conf); + foreach($rndc_conf as $line) + $confgen_file.="$line\n"; + file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsese",$confgen_file); + } + if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsese")){ + $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsese"); + $confgen="rndc.conf"; + $rndc_bindconf=""; + foreach ($rndc_conf as $line){ + if ($confgen =="rndc.conf"){ + if (!preg_match ("/^#/",$line)) + $rndc_file.=$line; + } + else{ + if (!preg_match ("/named.conf/",$line)) + $rndc_bindconf.=preg_replace('/#/',"",$line); + } + if (preg_match("/named.conf/",$line)){ + $confgen="named.conf"; + file_put_contents(BIND_LOCALBASE."/etc/rndc.conf",$rndc_file); + } + } + } + + $bind = $config["installedpackages"]["bind"]["config"][0]; + $bind_enable = $bind['enable_bind']; + $bind_forwarder = $bind['bind_forwarder']; + $forwarder_ips = $bind['bind_forwarder_ips']; + $ram_limit = ($bind['bind_ram_limit']?$bind['bind_ram_limit']:"256M"); + $hide_version = $bind['bind_hide_version']; + $bind_notify = $bind['bind_notify']; + $custom_options = base64_decode($bind['bind_custom_options']); + $bind_logging = $bind['bind_logging']; + $bind_conf ="#Bind pfsense configuration\n"; + $bind_conf .="#Do not edit this file!!!\n\n"; + $bind_conf .= "$rndc_bindconf\n"; + $bind_conf .= <<<EOD + +options { + directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + statistics-file "/var/log/named.stats"; + max-cache-size {$ram_limit}; + +EOD; + // check response rate limit option + //https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html + //http://ss.vix.su/~vjs/rl-arm.html + if ($bind['rate_enabled']=="on"){ + $rate_limit=($bind['rate_limit']?$bind['rate_limit']:"15"); + $log_only=($bind['log_only']=="no"?"no":"yes"); + $bind_conf .= <<<EOD + rate-limit { + responses-per-second {$rate_limit}; + log-only {$log_only}; + }; + +EOD; + } + //check ips to listen on + if (preg_match("/All/",$bind['listenon'])){ + $bind_listenonv6="Any;"; + $bind_listenon="Any;"; + } + else{ + $bind_listenonv6=""; + $bind_listenon =""; + foreach (explode(',',$bind['listenon']) as $listenon){ + if (is_ipaddrv6($listenon)) + $bind_listenonv6 .= $listenon."; "; + elseif (is_ipaddr($listenon)) + $bind_listenon .= $listenon."; "; + else{ + $listenon=(pfSense_get_interface_addresses(convert_friendly_interface_to_real_interface_name($listenon))); + if (is_ipaddr($listenon['ipaddr'])) + $bind_listenon .= $listenon['ipaddr']."; "; + if(is_ipaddrv6($listenon['ipaddr6'])) + $bind_listenonv6 .= $listenon['ipaddr6']."; "; + } + } + } + $bind_listenonv6=($bind_listenonv6==""?"none;":$bind_listenonv6); + $bind_listenon=($bind_listenon==""?"none;":$bind_listenon); + //print "<PRE>$bind_listenonv6 $bind_listenon"; + if (key_exists("ipv6allow",$config['system'])){ + $bind_conf .="\t\tlisten-on-v6 { $bind_listenonv6 };\n"; + } + $bind_conf .="\t\tlisten-on { $bind_listenon };\n"; + + #forwarder config + if ($bind_forwarder == on) + $bind_conf .="\t\tforwarders { $forwarder_ips };\n"; + if ($bind_notify == on) + $bind_conf .="\t\tnotify yes;\n"; + if ($hide_version == on) + $bind_conf .="\t\tversion \"N/A\";\n"; + + $bind_conf .="\t\t$custom_options\n"; + $bind_conf .= "\t};\n\n"; + + if ($bind_logging == on){ + //check if bind is included on syslog + $syslog_files=array("/etc/inc/system.inc","/var/etc/syslog.conf"); + $restart_syslog=0; + foreach ($syslog_files as $syslog_file){ + $syslog_file_data=file_get_contents($syslog_file); + if (!preg_match("/dnsmasq,named,filterdns/",$syslog_file_data)){ + $syslog_file_data=preg_replace("/dnsmasq,filterdns/","dnsmasq,named,filterdns",$syslog_file_data); + file_put_contents($syslog_file,$syslog_file_data); + $restart_syslog++; + } + } + if ($restart_syslog > 0){ + system("/usr/bin/killall -HUP syslogd"); + } + $log_categories=explode(",",$bind['log_options']); + $log_severity=($bind['log_severity']?$bind['log_severity']:'default'); + if (sizeof($log_categories) > 0 && $log_categories[0]!=""){ + $bind_conf .= <<<EOD + + logging { + channel custom { + syslog daemon; + print-time no; + print-severity yes; + print-category yes; + severity {$log_severity}; + }; + +EOD; + foreach ($log_categories as $category) + $bind_conf .="\t\t\tcategory $category\t{custom;};\n"; + $bind_conf .="\t\t};\n\n"; + } + } + else { + $bind_conf .="\t\tlogging { category default { null; }; };\n\n"; + } + + #Config Zone domain + if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){ + $config["installedpackages"]["bindacls"]["config"][] =array("name"=>"any","description"=>"Default Access list","row" => array("value"=> "","description"=>"")); + write_config("Create Default bind acl 'Any'"); + } + $bindacls = $config["installedpackages"]["bindacls"]["config"]; + for ($i=0; $i<sizeof($bindacls); $i++) + { + $aclname = $bindacls[$i]['name']; + $aclhost = $bindacls[$i]['row']; + if($aclname != "any"){ + $bind_conf .= "acl \"$aclname\" {\n"; + for ($u=0; $u<sizeof($aclhost); $u++) + { + $aclhostvalue = $aclhost[$u]['value']; + $bind_conf .= "\t$aclhostvalue;\n"; + } + $bind_conf .= "};\n\n"; + } + } + + if(is_array($config["installedpackages"]["bindviews"])) + $bindview = $config["installedpackages"]["bindviews"]["config"]; + else + $bindview =array(); + + for ($i=0; $i<sizeof($bindview); $i++) + { + $views = $config["installedpackages"]["bindviews"]["config"][$i]; + $viewname = $views['name']; + $viewrecursion = $views['recursion']; + if($views['match-clients'] == '') + $viewmatchclients = "none"; + else + $viewmatchclients = str_replace(',','; ',$views['match-clients']); + if($views['allow-recursion'] == '') + $viewallowrecursion = "none"; + else + $viewallowrecursion = str_replace(',','; ',$views['allow-recursion']); + $viewcustomoptions = base64_decode($views['bind_custom_options']); + + $bind_conf .= "view \"$viewname\" { \n\n"; + $bind_conf .= "\trecursion $viewrecursion;\n"; + $bind_conf .= "\tmatch-clients { $viewmatchclients;};\n"; + $bind_conf .= "\tallow-recursion { $viewallowrecursion;};\n"; + $bind_conf .= "\t$viewcustomoptions\n\n"; + + if(is_array($config["installedpackages"]["bindzone"])) + $bindzone = $config["installedpackages"]["bindzone"]["config"]; + else + $bindzone =array(); + + $write_config=0; + for ($x=0; $x<sizeof($bindzone); $x++) + { + $zone = $bindzone[$x]; + if ($zone['disabled']=="on"){ + continue; + } + $zonename = $zone['name']; + if ($zonename=="."){ + $custom_root_zone[$i]=true; + } + $zonetype = $zone['type']; + $zoneview = $zone['view']; + $zonecustom = base64_decode($zone['custom']); + $zoneipslave = $zone['slaveip']; + $zoneforwarders=$zone['forwarders']; + $zonereverso = $zone['reverso']; + + if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) + mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview",0755,true); + + if($zone['allowupdate'] == '') + $zoneallowupdate = "none"; + else + $zoneallowupdate = str_replace(',','; ',$zone['allowupdate']); + if($zone['allowquery'] == '') + $zoneallowquery = "none"; + else + $zoneallowquery = str_replace(',','; ',$zone['allowquery']); + if($zone['allowtransfer'] == '') + $zoneallowtransfer = "none"; + else + $zoneallowtransfer = str_replace(',','; ',$zone['allowtransfer']); + + if ($zoneview == $viewname){ + if($zonereverso == "on") + $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n"; + else + $bind_conf .= "\tzone \"$zonename\" {\n"; + + $bind_conf .= "\t\ttype $zonetype;\n"; + if ($zonetype != "forward") + $bind_conf .= "\t\tfile \"/etc/namedb/$zonetype/$zoneview/$zonename.DB\";\n"; + switch ($zonetype){ + case "slave": + $bind_conf .= "\t\tmasters { $zoneipslave; };\n"; + $bind_conf .= "\t\tallow-transfer {none;};\n"; + $bind_conf .= "\t\tnotify no;\n"; + break; + case "forward": + $bind_conf .= "\t\tforward only;\n"; + $bind_conf .= "\t\tforwarders { $zoneforwarders; };\n"; + break; + case "redirect": + $bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n"; + $bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n"; + $bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n"; + break; + default: + $bind_conf .= "\t\tallow-update { $zoneallowupdate;};\n"; + $bind_conf .= "\t\tallow-query { $zoneallowquery;};\n"; + $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer;};\n"; + if ($zone['dnssec']=="on"){ + //https://kb.isc.org/article/AA-00626/ + $bind_conf .="\n\t\t# look for dnssec keys here:\n"; + $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n"; + $bind_conf .="\t\t# publish and activate dnssec keys:\n"; + $bind_conf .="\t\tauto-dnssec maintain;\n\n"; + $bind_conf .="\t\t# use inline signing:\n"; + $bind_conf .="\t\tinline-signing yes;\n\n"; + } + } + if ($zonecustom != '') + $bind_conf .= "\t\t$zonecustom\n"; + + $bind_conf .= "\t};\n\n"; + + switch($zonetype){ + case "redirect": + case "master": + //check/update slave dir permission + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); + $zonetll = ($zone['tll']?$zone['tll']:"43200"); + $zonemail = ($zone['mail']?$zone['mail']:"zonemaster.{$zonename}"); + $zonemail = preg_replace("/@/",".",$zonemail); + $zoneserial = $zone['serial']; + $zonerefresh = ($zone['refresh']?$zone['refresh']:"3600"); + $zoneretry = ($zone['retry']?$zone['retry']:"600"); + $zoneexpire = ($zone['expire']?$zone['expire']:"86400"); + $zoneminimum = ($zone['minimum']?$zone['minimum']:"3600"); + $zonenameserver = $zone['nameserver']; + $zoneipns = $zone['ipns']; + $zonereverso = $zone['reverso']; + if($zone['allowupdate'] == '') + $zoneallowupdate = "none"; + else + $zoneallowupdate = str_replace(',','; ',$zone['allowupdate']); + if($zone['allowquery'] == '') + $zoneallowquery = "none"; + else + $zoneallowquery = str_replace(',','; ',$zone['allowquery']); + if($zone['allowtransfer'] == '') + $zoneallowtransfer = "none"; + else + $zoneallowtransfer = str_replace(',','; ',$zone['allowtransfer']); + $zone_conf = "\$TTL {$zonetll}\n;\n"; + if($zonereverso == "on") + $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n"; + else + $zone_conf .= "\$ORIGIN {$zonename}.\n\n"; + $zone_conf .= ";\tDatabase file {$zonename}.DB for {$zonename} zone.\n"; + $zone_conf .= ";\tDo not edit this file!!!\n"; + $zone_conf .= ";\tZone version {$zoneserial}\n;\n"; + if($zonereverso == "on" || $zonetype =="redirect") + $zone_conf .= "@\t IN SOA $zonenameserver. \t $zonemail. (\n"; + else + $zone_conf .= "$zonename.\t IN SOA $zonenameserver. \t $zonemail. (\n"; + + $zone_conf .= "\t\t$zoneserial ; serial\n"; + $zone_conf .= "\t\t$zonerefresh ; refresh\n"; + $zone_conf .= "\t\t$zoneretry ; retry\n"; + $zone_conf .= "\t\t$zoneexpire ; expire\n"; + $zone_conf .= "\t\t$zoneminimum ; default_ttl\n\t\t)\n\n"; + $zone_conf .= ";\n; Zone Records\n;\n"; + + if($zonereverso == "on") + $zone_conf .= "\t IN NS \t$zonenameserver.\n"; + else{ + $zone_conf .= "@ \t IN NS \t$zonenameserver.\n"; + if ($zoneipns !="") + $zone_conf .= "@ \t IN A \t$zoneipns\n"; + } + for ($y=0; $y<sizeof($zone['row']); $y++) + { + $hostname = (preg_match("/(MX|NS)/",$zone['row'][$y]['hosttype'])?"@":$zone['row'][$y]['hostname']); + $hosttype = $zone['row'][$y]['hosttype']; + $hostdst = $zone['row'][$y]['hostdst']; + if (preg_match("/[a-zA-Z]/",$hostdst) && !preg_match("/(TXT|SPF)/",$hosttype)) + $hostdst .= "."; + $hostvalue = $zone['row'][$y]['hostvalue']; + + $zone_conf .= "$hostname \t IN $hosttype $hostvalue \t$hostdst\n"; + } + if (($zone[regdhcpstatic] == 'on') && is_array($config['dhcpd'])) { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) + if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) + foreach ($dhcpifconf['staticmap'] as $host) + if ($host['ipaddr'] && $host['hostname']) { + $zone_conf .= "{$host['hostname']}\tIN A\t{$host['ipaddr']}\n"; + } + } + if ($zone['customzonerecords']!=""){ + $zone_conf .= "\n\n;\n;custom zone records\n;\n".base64_decode($zone['customzonerecords'])."\n"; + } + file_put_contents(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB", $zone_conf); + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($zone_conf); + $write_config++; + //check dnssec keys creation for master zones + if($zone['dnssec']=="on"){ + $zone_found=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*key",GLOB_NOSORT) as $filename){ + $zone_found++; + } + if ($zone_found==0){ + $key_restored=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer) + if (preg_match ("/K$zonename\.+/",$filer['fullfile'])){ + file_put_contents($filer['fullfile'],base64_decode($filer['filedata']),LOCK_EX); + chmod($filer['fullfile'],0700); + chown($filer['fullfile'],"bind"); + $key_restored++; + } + } + if ($key_restored > 0){ + log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone."); + } + $dnssec_bin="/usr/local/sbin/dnssec-keygen"; + if (file_exists($dnssec_bin) && $key_restored==0){ + exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys {$zonename}",$kout); + exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys -fk {$zonename}",$kout); + foreach($kout as $filename){ + chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.key","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.private","bind"); + } + log_error("[bind] DNSSEC keys for {$zonename} created."); + } + } + //get ds keys + $dsfromkey="/usr/local/sbin/dnssec-dsfromkey"; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*key",GLOB_NOSORT) as $filename) { + $zone_key=file_get_contents($filename); + if (preg_match("/IN DNSKEY 257 /",$zone_key) && file_exists($dsfromkey)){ + exec("$dsfromkey $filename",$dsset); + $config["installedpackages"]["bindzone"]["config"][$x]['dsset']=base64_encode(array_pop($dsset)."\n".array_pop($dsset)); + $write_config++; + } + } + //save dnssec keys to xml + + if($zone['backupkeys']=="on"){ + $dnssec_keys=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*",GLOB_NOSORT) as $filename){ + $file_found=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer){ + if ($filer['fullfile']==$filename) + $file_found++; + } + } + if ($file_found==0){ + $config['installedpackages']['dnsseckeys']['config'][]=array('fullfile'=> $filename, + 'description'=> "bind {$zonename} DNSSEC backup file", + 'filedata'=> base64_encode(file_get_contents($filename))); + $write_config++; + $dnssec_keys++; + } + } + if($dnssec_keys>0){ + log_error("[bind] {$dnssec_keys} DNSSEC keys for {$zonename} zone saved on XML config."); + } + } + } + break; + case "slave": + //check/update slave dir permission + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); + //check if exists slave zone file + $rsconfig=""; + if ($zone['dnssec']=="on"){ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed")) + exec("/usr/local/sbin/named-checkzone -D -f raw -o - {$zonename} ".CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed",$slave_file); + } + else{ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")) + $slave_file=file(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"); + } + if (is_array($slave_file)){ + foreach ($slave_file as $zfile) + $rsconfig.= $zfile; + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($rsconfig); + $write_config++; + } + break; + } + } + } + if (!$custom_root_zone[$i]){ + $bind_conf .="\tzone \".\" {\n"; + $bind_conf .="\t\ttype hint;\n"; + $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n"; + $bind_conf .= "\t};\n\n"; + } + if($write_config > 0){ + write_config("save result config file for zone on xml"); + } + $bind_conf .= "};\n"; + } + $dirs=array("/etc/namedb/keys","/var/run/named","/var/dump","/var/log","/var/stats","/dev"); + foreach ($dirs as $dir){ + if (!is_dir(CHROOT_LOCALBASE .$dir)) + mkdir(CHROOT_LOCALBASE .$dir,0755,true); + } + //dev dirs for chroot + $bind_dev_dir=CHROOT_LOCALBASE."/dev"; + if (!file_exists("$bind_dev_dir/random")){ + $dev_dirs=array("null","zero","random","urandom"); + exec("/sbin/mount -t devfs devfs {$bind_dev_dir}",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} ruleset 1",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} rule add hide",$dout); + foreach ($dev_dirs as $dev_dir) + exec("/sbin/devfs -m {$bind_dev_dir} rule add path $dev_dir unhide",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} rule applyset",$dout); + } + //http://www.unixwiz.net/techtips/bind9-chroot.html + file_put_contents(CHROOT_LOCALBASE.'/etc/namedb/named.conf', $bind_conf); + file_put_contents(CHROOT_LOCALBASE.'/etc/namedb/rndc.conf', $rndc_file); + + if (!file_exists(CHROOT_LOCALBASE."/etc/namedb/named.root")){ + //dig +tcp @a.root-servers.net > CHROOT_LOCALBASE."/etc/namedb/named.root" + $named_root=file_get_contents("http://www.internic.net/domain/named.root"); + file_put_contents(CHROOT_LOCALBASE."/etc/namedb/named.root",$named_root,LOCK_EX); + } + if (!file_exists(CHROOT_LOCALBASE."/etc/localtime")){ + copy("/etc/localtime", CHROOT_LOCALBASE."/etc/localtime"); + } + + bind_write_rcfile(); + chown(CHROOT_LOCALBASE."/etc/namedb/keys","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb","bind"); + chown(CHROOT_LOCALBASE."/var/log","bind"); + chown(CHROOT_LOCALBASE."/var/run/named","bind"); + chgrp(CHROOT_LOCALBASE."/var/log","bind"); + $bind_sh="/usr/local/etc/rc.d/named.sh"; + if($bind_enable == "on"){ + chmod ($bind_sh,0755); + mwexec("{$bind_sh} restart"); + } + elseif (is_service_running('named')){ + mwexec("{$bind_sh} stop"); + chmod ($bind_sh,0644); + } + //sync to backup servers + bind_sync_on_changes(); + conf_mount_ro(); +} + +function bind_print_javascript_type_zone(){ +?> + <script language="JavaScript"> + <!-- + function on_type_zone_changed() { + + var field = document.iform.type; + var tipo = field.options[field.selectedIndex].value; + switch (tipo){ + case 'master': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 0; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 0; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; + document.iform.ipns.disabled = 0; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; + case 'slave': + document.iform.slaveip.disabled = 0; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 1; + document.iform.reverso.disabled = 0; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 1; + document.iform.serial.disabled = 1; + document.iform.refresh.disabled = 1; + document.iform.retry.disabled = 1; + document.iform.expire.disabled = 1; + document.iform.minimum.disabled = 1; + break; + case 'forward': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 1; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 0; + document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 1; + document.iform.serial.disabled = 1; + document.iform.refresh.disabled = 1; + document.iform.retry.disabled = 1; + document.iform.expire.disabled = 1; + document.iform.minimum.disabled = 1; + break; + case 'redirect': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; + } + } + --> + </script> +<?php +} + +function bind_print_javascript_type_zone2(){ + print("<script language=\"JavaScript\">on_type_zone_changed();document.iform.resultconfig.disabled = 1;document.iform.dsset.disabled = 1;</script>\n"); +} + +function bind_write_rcfile() { + $rc = array(); + $BIND_LOCALBASE = "/usr/local"; + $rc['file'] = 'named.sh'; + $rc['start'] = <<<EOD +if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ +fi + +EOD; + $rc['stop'] = <<<EOD +killall -9 named 2>/dev/null +sleep 2 +EOD; + $rc['restart'] = <<<EOD +if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ + else + killall -9 named 2>/dev/null + sleep 3 + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ + fi + +EOD; + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function bind_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['bindsync']['config'])){ + $bind_sync=$config['installedpackages']['bindsync']['config'][0]; + $synconchanges = $bind_sync['synconchanges']; + $synctimeout = $bind_sync['synctimeout']; + $master_zone_ip=$bind_sync['masterip']; + switch ($synconchanges){ + case "manual": + if (is_array($bind_sync[row])){ + $rs=$bind_sync[row]; + } + else{ + log_error("[bind] xmlrpc sync is enabled but there is no hosts to push on bind config."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])){ + $hasync=$config['hasync'][0]; + $rs[0]['ipaddress']=$hasync['synchronizetoip']; + $rs[0]['username']=$hasync['username']; + $rs[0]['password']=$hasync['password']; + } + else{ + log_error("[bind] xmlrpc sync is enabled but there is no system backup hosts to push bind config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[bind] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + bind_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout,$master_zone_ip); + } + log_error("[bind] xmlrpc sync is ending."); + } + } +} +/* Do the actual XMLRPC sync */ +function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$master_zone_ip) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['bind'] = $config['installedpackages']['bind']; + $xml['bindacls'] = $config['installedpackages']['bindacls']; + $xml['bindviews'] = $config['installedpackages']['bindviews']; + $xml['bindzone'] = $config['installedpackages']['bindzone']; + if (is_array($config['installedpackages']['dnsseckeys'])) + $xml['dnsseckeys']=$config['installedpackages']['dnsseckeys']; + //change master zone to slave on backup servers + if(is_array($xml['bindzone']["config"])) + for ($x=0; $x<sizeof($xml['bindzone']["config"]); $x++){ + if ($xml['bindzone']["config"][$x]['type']=="master"){ + $xml['bindzone']["config"][$x]['type']="slave"; + $xml['bindzone']["config"][$x]['slaveip']=$master_zone_ip; + } + + } + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("[bind] Beginning bind XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } else { + log_error("[bind] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell bind to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/bind.inc');\n"; + $execcmd .= "bind_sync('yes');"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[bind] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "Bind Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Bind] An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } else { + log_error("Bind XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} +?> diff --git a/config/bind/bind.widget.php b/config/bind/bind.widget.php new file mode 100644 index 00000000..490ded9b --- /dev/null +++ b/config/bind/bind.widget.php @@ -0,0 +1,86 @@ +<?php +/* + Copyright 2013 Marcello Coutinho + Part of bind package for pfSense(www.pfsense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +@require_once("guiconfig.inc"); +@require_once("pfsense-utils.inc"); +@require_once("functions.inc"); + +$uname=posix_uname(); +if ($uname['machine']=='amd64') + ini_set('memory_limit', '250M'); + +function open_table(){ + echo "<table style=\"padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">"; + echo" <tr>"; +} +function close_table(){ + echo" </tr>"; + echo"</table>"; + +} + +$pfb_table=array(); +$img['Sick']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif'>"; +$img['Healthy']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif'>"; + + +#var_dump($pfb_table); +#exit; +?><div id='bind'><?php +global $config; +$rndc_bin="/usr/local/sbin/rndc"; + +if (file_exists($rndc_bin)) + exec("$rndc_bin status",$status); + +open_table(); +foreach($status as $line){ + $fields=explode(":",$line); + print "<tr><td class=\"vncellt\"width=50%><strong>".ucfirst($fields[0])."</strong></td>\n"; + print "<td class=\"listlr\">{$fields[1]}</td>\n</tr>"; + } +close_table(); +echo"</div>"; + +?> +<script type="text/javascript"> + function getstatus_bind() { + var url = "/widgets/widgets/bind.widget.php"; + var pars = 'getupdatestatus=yes'; + var myAjax = new Ajax.Request( + url, + { + method: 'get', + parameters: pars, + onComplete: activitycallback_bind + }); + } + function activitycallback_bind(transport) { + $('bind').innerHTML = transport.responseText; + setTimeout('getstatus_postfix()', 5000); + } + getstatus_bind(); +</script> diff --git a/config/bind/bind.xml b/config/bind/bind.xml new file mode 100644 index 00000000..76fdf523 --- /dev/null +++ b/config/bind/bind.xml @@ -0,0 +1,316 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bind</name> + <version>1.0</version> + <title>Bind: Domain Named Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext>Modify Bind settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=bind.xml</url> + </menu> + <service> + <name>named</name> + <rcfile>named.sh</rcfile> + <executable>named</executable> + <description>Domain Name Service</description> + </service> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + <active/> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + + </tabs> + <!-- Installation --> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_views.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_zones.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_acls.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/pkg_bind.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/widgets/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.widget.php</item> + </additional_files_needed> + <fields> + <field> + <type>listtopic</type> + <name>Daemon Settings</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable Bind</fielddescr> + <fieldname>enable_bind</fieldname> + <description><![CDATA[Enable DNS Bind on Server<br> + Disable Dns forwarder service on selected interfaces before enabling bind.]]></description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>Listen-on</fielddescr> + <fieldname>listenon</fieldname> + <description><![CDATA[Enable Named to listen on.]]></description> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <multiple/> + </field> + <field> + <fielddescr>Enable Notify</fielddescr> + <fieldname>bind_notify</fieldname> + <description>Notify slave server after any update on master.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Hide Version</fielddescr> + <fieldname>bind_hide_version</fieldname> + <description>Hide the version of BIND, this prevents discover the version of our servers, use any exploit that exploits a vulnerability in Bind.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Limit Memory use</fielddescr> + <fieldname>bind_ram_limit</fieldname> + <description>Limits RAM use for DNS server, recommend 256M</description> + <type>input</type> + <size>10</size> + <default_value>256M</default_value> + </field> + <field> + <type>listtopic</type> + <name>Logging options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable logging</fielddescr> + <fieldname>bind_logging</fieldname> + <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Loggin serverity</fielddescr> + <fieldname>log_severity</fieldname> + <description><![CDATA[Select logging levels for selected categories.<BR> + use CTRL+click to select/unselect.<br> + The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description> + <type>select</type> + <options> + <option><name>Critital</name><value>critical</value></option> + <option><name>Error</name><value>error</value></option> + <option><name>Warning</name><value>warning</value></option> + <option><name>Notice</name><value>Notice</value></option> + <option><name>info</name><value>info</value></option> + <option><name>Debug level 1</name><value>debug 1</value></option> + <option><name>Debug level 3</name><value>debug 3</value></option> + <option><name>Debug level 5</name><value>debug 5</value></option> + <option><name>Dynamic</name><value>dynamic</value></option> + </options> + </field> + <field> + <fielddescr>Loggin options</fielddescr> + <fieldname>log_options</fieldname> + <description><![CDATA[Select categories to log.<BR> + use CTRL+click to select/unselect.]]></description> + <type>select</type> + <options> + <option><name>Default-if this is the only category selected, it will log all categories except queries</name><value>default</value></option> + <option><name>General-Anything that is not classified as any other item in this list defaults to this category</name><value>general</value></option> + <option><name>Database-The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace</name><value>database</value></option> + <option><name>Security-Approval and denial of requests</name><value>security</value></option> + <option><name>Config-Configuration file parsing and processing</name><value>config</value></option> + <option><name>Resolver-Name resolution including recursive lookups</name><value>resolver</value></option> + <option><name>Xfer-in-Details of zone transfers the server is receiving.</name><value>xfer-in</value></option> + <option><name>Xfer-out-Details of zone transfers the server is sending.</name><value>xfer-out</value></option> + <option><name>Notify-Logs all NOTIFY operations.</name><value>notify</value></option> + <option><name>Client-Processing of client requests</name><value>client</value></option> + <option><name>Unmatched-No matching view clause or unrecognized class value.</name><value>unmatched</value></option> + <option><name>Queries-Logs all query transactions</name><value>queries</value></option> + <option><name>Network-Logs all network operations</name><value>network</value></option> + <option><name>Update-Logging of all dynamic update (DDNS) transactions</name><value>update</value></option> + <option><name>Dispatch-Dispatching of incoming packets to the server modules</name><value>dispatch</value></option> + <option><name>DNSSEC-DNSSEC and TSIG protocol processing</name><value>dnssec</value></option> + <option><name>lame-servers-Mis-configuration in the delegation of domains discovered by BIND</name><value>lame-servers</value></option> + </options> + <multiple/> + <size>18</size> + </field> + <field> + <type>listtopic</type> + <name>Response Rate Limit</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Rate limit</fielddescr> + <fieldname>rate_enabled</fieldname> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-01000/189/A-Quick-Introduction-to-Response-Rate-Limiting.html?utm_source=isc&utm_medium=website&utm_term=rrl-kb&utm_content=kbarticle&utm_campaign=bind994_release_091913'> + Limit/rate response queries</a> to prevent DOS attack.]]></description> + <type>checkbox</type> + <enablefields>rate_limit,log_only</enablefields> + </field> + <field> + <fielddescr>Limit Action</fielddescr> + <fieldname>log_only</fieldname> + <description>Select what to do when a query reaches a limit.</description> + <type>select</type> + <options> + <option><name>Deny query</name><value>no</value></option> + <option><name>Log only</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>limit</fielddescr> + <fieldname>rate_limit</fieldname> + <description>Set rate limit. Default to 15.</description> + <type>input</type> + <size>10</size> + </field> + + <field> + <type>listtopic</type> + <name>Forwarder Config</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Forwarder</fielddescr> + <fieldname>bind_forwarder</fieldname> + <description>Forwardes enable DNS Bind on Server.</description> + <type>checkbox</type> + <enablefields>bind_forwarder_ips</enablefields> + </field> + <field> + <fielddescr>Forwarder IPs</fielddescr> + <fieldname>bind_forwarder_ips</fieldname> + <description>Enter IPs to forward. Separate by semi-colons (;). [Applies only to Forwarder mode]</description> + <type>input</type> + <size>80</size> + </field> + <field> + <type>listtopic</type> + <name>custom Options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>bind_custom_options</fieldname> + <description><![CDATA[You can put your own custom options here, one per line.<br> + They'll be added to the configuration. They need to be named.conf native options.]]> + </description> + <type>textarea</type> + <cols>65</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_after_head_command> + </custom_php_after_head_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> + <custom_php_install_command> + bind_write_rcfile(); + </custom_php_install_command> + <custom_php_deinstall_command> + </custom_php_deinstall_command> + <filter_rules_needed></filter_rules_needed> +</packagegui> diff --git a/config/bind/bind_acls.xml b/config/bind/bind_acls.xml new file mode 100644 index 00000000..b8d10158 --- /dev/null +++ b/config/bind/bind_acls.xml @@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_acls.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindacls</name> + <version>0.1.0</version> + <title>Bind: ACLs Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + <active/> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindacls']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>ACL</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <!-- fields gets invoked when the user adds or edits a item. the following items + will be parsed and rendered for the user as a gui with input, and selectboxes. --> + <fields> + <field> + <fielddescr>ACL Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter name ACL.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this ACL.</description> + <type>input</type> + </field> + <field> + <fielddescr>Enter IP or range bloc network.</fielddescr> + <description>Leave blank to allow All</description> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Value</fielddescr> + <fieldname>value</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_sync.xml b/config/bind/bind_sync.xml new file mode 100644 index 00000000..d2f9c95b --- /dev/null +++ b/config/bind/bind_sync.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_sync.xml + part of the Bind package for pfSense + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindsync</name> + <version>1.0</version> + <title>Bind: XMLRPC Sync</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync bind configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Select a sync method for bind.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>25</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + </options> + </field> + <field> + <fielddescr>Zone Master IP</fielddescr> + <fieldname>masterip</fieldname> + <description><![CDATA[Set master zone ip you want to use to sync backup server zones with master.<br> + <b>All master zones will be configured as backup on slave servers.<b>]]></description> + <type>input</type> + <size>20</size> + <required/> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <description><![CDATA[<b>Do not forget to:</b><br> + Create firewall rules to allow zone transfer between master and slave servers.<br> + Create a acls with these slave servers.<br> + Include created acl on allow-transfer option on zone config.]]></description> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_views.xml b/config/bind/bind_views.xml new file mode 100644 index 00000000..a6c42552 --- /dev/null +++ b/config/bind/bind_views.xml @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_zone.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindviews</name> + <version>0.1.0</version> + <title>Bind: Views Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + <active/> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindviews']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>View</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>View Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter the name of the View.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter a description of the View.</description> + <type>input</type> + </field> + <field> + <fielddescr>Recursion</fielddescr> + <fieldname>recursion</fieldname> + <description>A recursive query occurs when your DNS server is queried for a domain that it currently knows nothing about, in which case it will try to resolve the given host by performing further queries (eg by starting at the root servers and working out, or by simply passing the request to yet another DNS server).</description> + <type>select</type> + <options> + <option><name>No</name><value>no</value></option> + <option><name>Yes</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>Match-clients</fielddescr> + <fieldname>match-clients</fieldname> + <description>If either or both of match-clients are missing they default to any (all hosts match). The match-clients statement defines the address_match_list for the source IP address of the incoming messages.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-recursion</fielddescr> + <fieldname>allow-recursion</fieldname> + <description>For example, if you have one DNS server serving your local network, you may want all of your local computers to use your DNS server.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <type>listtopic</type> + <name>Custom Views </name> + <fieldname>temp</fieldname> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>bind_custom_options</fieldname> + <description>You can put your own custom options here, separated by semi-colons (;).</description> + <type>textarea</type> + <cols>65</cols> + <rows>8</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml new file mode 100644 index 00000000..d5cbe1b8 --- /dev/null +++ b/config/bind/bind_zones.xml @@ -0,0 +1,444 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_zone.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindzone</name> + <version>none</version> + <title>Bind: Zones Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindzone']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>status</fielddescr> + <fieldname>disabled</fieldname> + <listmodeon>Disabled</listmodeon> + <listmodeoff>Enabled</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Zone Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Zone Type</fielddescr> + <fieldname>type</fieldname> + </columnitem> + <columnitem> + <fielddescr>View Name</fielddescr> + <fieldname>view</fieldname> + </columnitem> + <columnitem> + <fielddescr>Serial</fielddescr> + <fieldname>serial</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <fields> + <field> + <type>listtopic</type> + <name>Domain Zone Configuration</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Disable this zone</fielddescr> + <fieldname>disabled</fieldname> + <description><![CDATA[Do not Include this zone on bind config files.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Zone Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Enter the name for zone (ex:mydomain.com)<br> + For reverse zones, include zone ip in reverse order or following your provider instructions.(Ex: 1.168.192)<br> + IN-ADDR.ARPA will be automaticaly included on conf files when reveser zone option is checked.]]></description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this zone.</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>Zone Type</fielddescr> + <fieldname>type</fieldname> + <description><![CDATA[Select zone type.]]></description> + <type>select</type> + <options> + <option><name>Master</name><value>master</value><enablefields>description</enablefields></option> + <option><name>Slave</name><value>slave</value><enablefields>ttl</enablefields></option> + <option><name>Forward</name><value>forward</value><enablefields>forward</enablefields></option> + <option><name>Redirect</name><value>redirect</value><enablefields>redirect</enablefields></option> + </options> + <onchange>on_type_zone_changed()</onchange> + <required/> + </field> + <field> + <fielddescr>View</fielddescr> + <fieldname>view</fieldname> + <description><![CDATA[Select the View that this area will belong.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindviews']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + </field> + <field> + <fielddescr>Reverse Zone</fielddescr> + <fieldname>reverso</fieldname> + <description>Enable if this is a reverse zone.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>custom Option</fielddescr> + <fieldname>custom</fieldname> + <description>You can put your own custom options here.</description> + <type>textarea</type> + <cols>75</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <type>listtopic</type> + <name>DNSSEC</name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Inline Signing</fielddescr> + <fieldname>dnssec</fieldname> + <enablefields>backupkeys</enablefields> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>backup keys</fielddescr> + <fieldname>backupkeys</fieldname> + <description><![CDATA[Enable this option to include all DNSSEC key files on XML.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>DS set</fielddescr> + <fieldname>dsset</fieldname> + <description><![CDATA[Digest fingerprint of the Key Signing KeyResulting for this zone.<br> + Upload this ds set to your domain root server.]]></description> + <type>textarea</type> + <cols>75</cols> + <rows>3</rows> + <encoding>base64</encoding> + </field> + <field> + <type>listtopic</type> + <name>Slave Zone Configuration </name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Master Zone IP</fielddescr> + <fieldname>slaveip</fieldname> + <description>If zone is slave, enter the IP address of the master DNS zone.</description> + <type>input</type> + </field> + <field> + <type>listtopic</type> + <name>Forward Zone Configuration </name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Forwarders</fielddescr> + <fieldname>forwarders</fieldname> + <description>Enter forwarders IPs for this domain. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + + <field> + <type>listtopic</type> + <name>Master Zone Configuration </name> + <fieldname>temp03</fieldname> + </field> + <field> + <fielddescr>TLL</fielddescr> + <fieldname>tll</fieldname> + <description>Default expiration time of all resource records without their own TTL value</description> + <type>input</type> + </field> + <field> + <fielddescr>Name Server</fielddescr> + <fieldname>nameserver</fieldname> + <description>Enter nameserver for this zone</description> + <type>input</type> + </field> + <field> + <fielddescr>Base Domain ip</fielddescr> + <fieldname>ipns</fieldname> + <description>Enter ip address for base domain lookup. Ex: nslookup mydomain.com</description> + <type>input</type> + </field> + <field> + <fielddescr>Mail Admin Zone</fielddescr> + <fieldname>mail</fieldname> + <description>Enter mail admin zone.</description> + <type>input</type> + </field> + <field> + <fielddescr>Serial</fielddescr> + <fieldname>serial</fieldname> + <description>Parsed value for the slave to update the DNS Zone</description> + <type>input</type> + </field> + <field> + <fielddescr>Refresh</fielddescr> + <fieldname>refresh</fieldname> + <description>Slave refresh (1 day)</description> + <type>input</type> + <default_value>1d</default_value> + </field> + <field> + <fielddescr>Retry</fielddescr> + <fieldname>retry</fieldname> + <description>Slave retry time in case of a problem (2 hours)</description> + <type>input</type> + <default_value>2h</default_value> + </field> + <field> + <fielddescr>Expire</fielddescr> + <fieldname>expire</fieldname> + <description>Slave expiration time (4 weeks)</description> + <type>input</type> + <default_value>4w</default_value> + </field> + <field> + <fielddescr>Minimum</fielddescr> + <fieldname>minimum</fieldname> + <description>Maximum caching time in case of failed lookups (1 hour)</description> + <type>input</type> + <default_value>1h</default_value> + </field> + <field> + <fielddescr>Allow-update</fielddescr> + <fieldname>allowupdate</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to send updates to this zone.<br> + Allow-update defines a match list eg IP address(es) that are allowed to submit dynamic updates for 'master' zones ie it enables Dynamic DNS (DDNS).]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-query</fielddescr> + <fieldname>allowquery</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to query this zone.<br> + Allow-query defines an match list of IP address(es) which are allowed to issue queries to the server.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-transfer</fielddescr> + <fieldname>allowtransfer</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to copy this zone.<br> + Allow-transfer defines a match list eg IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by XFER requests, then use the following policy.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <type>listtopic</type> + <name>Zone Domain records</name> + <fieldname>temp02</fieldname> + </field> + <field> + <fielddescr>Enter Domain records.</fielddescr> + <description><![CDATA[<b>"Record"</b> is the name or last octec of ip. Sample: www or pop<br> + <b>"Type"</b> is the type of the record Sample: A CNAME MX NS<br> + <b>"Priority"</b> in used only in mx records to define its priority<br> + <b>"Alias or IP address"</b> is the destination host or ip address.<br><br> + You can order elements on this list with drag and drop between columns.]]></description> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Record</fielddescr> + <fieldname>hostname</fieldname> + <description>Enter the Host Name (ex: www)</description> + <type>input</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Type</fielddescr> + <fieldname>hosttype</fieldname> + <description>Select Type Host</description> + <type>select</type> + <options> + <option><name>A</name><value>A</value></option> + <option><name>AAAA</name><value>AAAA</value></option> + <option><name>DNAME</name><value>DNAME</value></option> + <option><name>MX</name><value>MX</value></option> + <option><name>CNAME</name><value>CNAME</value></option> + <option><name>NS</name><value>NS</value></option> + <option><name>LOC</name><value>LOC</value></option> + <option><name>SRV</name><value>SRV</value></option> + <option><name>PTR</name><value>PTR</value></option> + <option><name>TXT</name><value>TXT</value></option> + <option><name>SPF</name><value>SPF</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Priority</fielddescr> + <fieldname>hostvalue</fieldname> + <description>MX 10 or 20</description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Alias or IP address</fielddescr> + <fieldname>hostdst</fieldname> + <description>Enter the IP address or CNAME destination for Domain (ex: 10.31.11.1 or mail.example.com)</description> + <type>input</type> + <size>35</size> + </rowhelperfield> + <movable>on</movable> + </rowhelper> + </field> + <field> + <fieldname>regdhcpstatic</fieldname> + <fielddescr>Register DHCP static mappings</fielddescr> + <description>If this option is set, then DHCP static mappings will be registered in DNS, so that their name can be resolved.</description> + <type>checkbox</type> + </field> + <field> + <type>listtopic</type> + <name>Custom Zone Domain records</name> + <fieldname>temp02</fieldname> + </field> + <field> + <fielddescr></fielddescr> + <fieldname>customzonerecords</fieldname> + <description><![CDATA[Paste any custom zone records to include on this zone.<br> + This can be used for a fast migration setup.]]></description> + <type>textarea</type> + <cols>84</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + <field> + <type>listtopic</type> + <name>Resulting Zone config file</name> + </field> + <field> + <fielddescr></fielddescr> + <fieldname>resultconfig</fieldname> + <description>Resulting bind config file for this zone.</description> + <type>textarea</type> + <cols>84</cols> + <rows>15</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <custom_php_after_form_command> + bind_print_javascript_type_zone2(); + </custom_php_after_form_command> + <custom_php_after_head_command> + bind_print_javascript_type_zone(); + </custom_php_after_head_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + if ($_POST['type']=="master") + $_POST['serial']=(date("U")+ 1000000000); + bind_zone_validate($_POST, &$input_errors); + </custom_php_validation_command> + <custom_delete_php_command> + bind_sync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/pkg_bind.inc b/config/bind/pkg_bind.inc new file mode 100644 index 00000000..3ed3351d --- /dev/null +++ b/config/bind/pkg_bind.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['bind'] = array(); +$shortcuts['bind']['main'] = "pkg_edit.php?xml=bind.xml"; +$shortcuts['bind']['log'] = "diag_logs_resolver.php"; +$shortcuts['bind']['status'] = "status_services.php"; +$shortcuts['bind']['service'] = "named"; + +?> diff --git a/config/cron/cron.inc b/config/cron/cron.inc index 88388b3c..2fe9cf57 100644 --- a/config/cron/cron.inc +++ b/config/cron/cron.inc @@ -81,8 +81,8 @@ function cron_install_command() write_rcfile(array( "file" => "cron.sh", - "start" => "/usr/sbin/cron -s &", - "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid;" + "start" => "[ `/bin/pgrep -f 'cron -s' | wc -l` -eq 0 ] && /usr/sbin/cron -s &", + "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid; /bin/pkill -f 'cron -s'" ) ); diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index 12c2af93..b31df8ab 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -185,6 +185,7 @@ function sync_package_dansguardian($via_rpc="no",$install_process=false) { $icapscan=(preg_match('/icapscan/',$dansguardian_config['content_scanners'])?"on":"off"); $contentscannertimeout=($dansguardian_config['contentscannertimeout']?$dansguardian_config['contentscannertimeout']:"60"); $contentscanexceptions=($dansguardian_config['contentscanexceptions']?"on":"off"); + $icapurl=($dansguardian_config['icapurl']?$dansguardian_config['icapurl']:"icap://icapserver:1344/avscan"); $recheckreplacedurls=(preg_match('/recheckreplacedurls/',$dansguardian_config['misc_options'])?"on":"off"); $forwardedfor=(preg_match('/forwardedfor/',$dansguardian_config['misc_options'])?"on":"off"); $recheckreplacedurls=(preg_match('/icapscan/',$dansguardian_config['misc_options'])?"on":"off"); @@ -974,6 +975,7 @@ EOF; $filterip=($filterip==""?"filterip = ":$filterip); $filterports=($filterports==""?"filterports = $filterport":$filterports); include("/usr/local/pkg/dansguardian.conf.template"); + include("/usr/local/pkg/icapscan.conf.template"); #check cron_tab $new_cron=array(); @@ -1111,6 +1113,7 @@ EOF; #create config files file_put_contents($dansguardian_dir."/dansguardian.conf", $dg, LOCK_EX); + file_put_contents($dansguardian_dir."/contentscanners/icapscan.conf", $icapconf, LOCK_EX); #check virus_scanner options $libexec_dir= DANSGUARDIAN_DIR."/libexec/dansguardian/"; diff --git a/config/dansguardian/dansguardian.xml b/config/dansguardian/dansguardian.xml index 34d4156c..e0cb58fd 100644 --- a/config/dansguardian/dansguardian.xml +++ b/config/dansguardian/dansguardian.xml @@ -184,6 +184,11 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> + <item>http://www.pfsense.org/packages/config/dansguardian/icapscan.conf.template</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_rc.template</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> diff --git a/config/dansguardian/dansguardian_config.xml b/config/dansguardian/dansguardian_config.xml index 35b0bf5b..342b52d7 100644 --- a/config/dansguardian/dansguardian_config.xml +++ b/config/dansguardian/dansguardian_config.xml @@ -274,7 +274,7 @@ </field> <field> <fielddescr>ICAP URL</fielddescr> - <fieldname>contentscannertimeout</fieldname> + <fieldname>icapurl</fieldname> <type>input</type> <size>40</size> <description><![CDATA[Enter ICAP URL in <strong>icap://icapserver:1344/avscan</strong> format<br> diff --git a/config/dansguardian/dansguardian_ips_header.template b/config/dansguardian/dansguardian_ips_header.template index 48eb3e68..be4f28de 100644 --- a/config/dansguardian/dansguardian_ips_header.template +++ b/config/dansguardian/dansguardian_ips_header.template @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_site_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -111,4 +111,4 @@ <rows>12</rows> <encoding>base64</encoding> </field> -
\ No newline at end of file + diff --git a/config/dansguardian/icapscan.conf.template b/config/dansguardian/icapscan.conf.template new file mode 100755 index 00000000..b4289dc1 --- /dev/null +++ b/config/dansguardian/icapscan.conf.template @@ -0,0 +1,16 @@ +<?php + $icapconf=<<<EOF +plugname = 'icapscan' + +# ICAP URL +# Use hostname rather than IP address +# Always specify the port +# +icapurl = '{$icapurl}' + +exceptionvirusmimetypelist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist' +exceptionvirusextensionlist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist' +exceptionvirussitelist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirussitelist' +exceptionvirusurllist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusurllist' +EOF; +?> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 0f7010d6..a18872fc 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -2971,6 +2971,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap1 $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); + $varmodulesldapserverport = ($arrmodulesldap['varmodulesldapserverport']?$arrmodulesldap['varmodulesldapserverport']:'389'); $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA'); @@ -2983,6 +2984,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap2 $varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain'); + $varmodulesldap2serverport = ($arrmodulesldap['varmodulesldap2serverport']?$arrmodulesldap['varmodulesldap2serverport']:'389'); $varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA'); $varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass'); $varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA'); @@ -3237,6 +3239,7 @@ ldap { # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldapserver" + port = "$varmodulesldapserverport" identity = "$varmodulesldapidentity" password = $varmodulesldappassword basedn = "$varmodulesldapbasedn" @@ -3396,6 +3399,7 @@ ldap ldap2{ # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldap2server" + port = "$varmodulesldap2serverport" identity = "$varmodulesldap2identity" password = $varmodulesldap2password basedn = "$varmodulesldap2basedn" diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index aec71697..5abe85cb 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -127,6 +127,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldapserverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldapidentity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> @@ -438,6 +446,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldap2serverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldap2identity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> diff --git a/config/lightsquid/lightsquid.xml b/config/lightsquid/lightsquid.xml index b8ce2bc8..53d074c5 100644 --- a/config/lightsquid/lightsquid.xml +++ b/config/lightsquid/lightsquid.xml @@ -186,7 +186,7 @@ <input type="submit" name="Submit" value="Refresh full"> <br> Press button for start background refresh (this take some time). <br> <span style="color: rgb(153, 51, 0);"> Note after installation: - <br> On the first - enable log in squid package with "/var/squid/log" path. + <br> On the first - enable log in squid package with "/var/squid/logs" path. <br> On the second - press Refresh button for create lightsquid reports, else you will have error diagnostic page.</span> </description> <type>select</type> diff --git a/config/mailreport/mail_reports.inc b/config/mailreport/mail_reports.inc index 85b67ddf..cf8c837c 100644 --- a/config/mailreport/mail_reports.inc +++ b/config/mailreport/mail_reports.inc @@ -229,8 +229,6 @@ function mail_report_send($headertext, $cmdtext, $logtext, $attachments) { if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; - } else { - echo "<strong>Message sent to {$address}!</strong>\n"; } } diff --git a/config/mailreport/mail_reports_generate.php b/config/mailreport/mail_reports_generate.php index a784c596..c31909c9 100644 --- a/config/mailreport/mail_reports_generate.php +++ b/config/mailreport/mail_reports_generate.php @@ -53,9 +53,21 @@ if (!$config['mailreports']['schedule'][$id]) exit; $thisreport = $config['mailreports']['schedule'][$id]; -$cmds = $thisreport['cmd']['row']; -$logs = $thisreport['log']['row']; -$graphs = $thisreport['row']; + +if (is_array($thisreport['cmd']) && is_array($thisreport['cmd']['row'])) + $cmds = $thisreport['cmd']['row']; +else + $cmds = array(); + +if (is_array($thisreport['log']) && is_array($thisreport['log']['row'])) + $logs = $thisreport['log']['row']; +else + $logs = array(); + +if (is_array($thisreport['row'])) + $graphs = $thisreport['row']; +else + $graphs = array(); // If there is nothing to do, bail! if ((!is_array($cmds) || !(count($cmds) > 0)) diff --git a/config/mailreport/mailreport.xml b/config/mailreport/mailreport.xml index d27d3a28..5a759984 100644 --- a/config/mailreport/mailreport.xml +++ b/config/mailreport/mailreport.xml @@ -37,7 +37,7 @@ ]]> </copyright> <name>mailreport</name> - <version>2.0.4</version> + <version>2.0.6</version> <title>Status: Mail Reports</title> <additional_files_needed> <prefix>/usr/local/bin/</prefix> diff --git a/config/nut/nut.inc b/config/nut/nut.inc index 0c1235dd..46c5741e 100644 --- a/config/nut/nut.inc +++ b/config/nut/nut.inc @@ -272,7 +272,7 @@ EOD; $upsd_users = "[monuser]\n"; $upsd_users .= "password = {$password}\n"; $upsd_users .= "upsmon master\n"; - if($allowaddr && $allowuser) { + if($allowuser && $allowpass) { $upsd_users .= "\n[$allowuser]\n"; $upsd_users .= "password = $allowpass\n"; $upsd_users .= "upsmon master\n"; @@ -356,7 +356,6 @@ EOD; $snmpcommunity = nut_config('snmpcommunity'); $snmpfreq = nut_config('snmpfreq'); $snmpdisabletransfer = (nut_config('snmpdisabletransfer') == 'on'); - $allowaddr = nut_config('allowaddr'); $allowuser = nut_config('allowuser'); $allowpass = nut_config('allowpass'); @@ -389,7 +388,7 @@ EOD; $upsd_users = "[monuser]\n"; $upsd_users .= "password = {$password}\n"; $upsd_users .= "upsmon master\n"; - if($allowaddr && $allowuser) { + if($allowuser && $allowpass) { $upsd_users .= "\n[$allowuser]\n"; $upsd_users .= "password = $allowpass\n"; $upsd_users .= "upsmon master\n"; diff --git a/config/nut/nut.xml b/config/nut/nut.xml index 4a9c3d46..fcfbdfe6 100644 --- a/config/nut/nut.xml +++ b/config/nut/nut.xml @@ -299,6 +299,10 @@ <value>upscode204</value> </option> <option> + <name>Generic USB UPS (Blazer)</name> + <value>blazer_usb01</value> + </option> + <option> <name>Inform GUARD Line Interactive</name> <value>powercom00</value> </option> @@ -653,4 +657,4 @@ <custom_php_deinstall_command> deinstall_package_nut(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 1d1609ed..c7afb9e6 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -33,6 +33,10 @@ require_once("globals.inc"); require_once("openvpn.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); +require_once("util.inc"); +require_once("pfsense-utils.inc"); function openvpn_client_export_install() { conf_mount_rw(); @@ -168,6 +172,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); $nl = ($doslines) ? "\r\n" : "\n"; $conf = ""; @@ -180,27 +185,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // determine basic variables - if ($useaddr == "serveraddr") { - $interface = $settings['interface']; - if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { - $server_host = $settings['ipaddr']; - } else { - if (!$interface || ($interface == "any")) - $interface = "wan"; - $server_host = get_interface_ip($interface); - } - } else if ($useaddr == "serverhostname" || empty($useaddr)) { - $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; - $server_host .= "{$config['system']['domain']}"; - } else - $server_host = $useaddr; - + $remotes = openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl); $server_port = $settings['local_port']; - $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); - if (($expformat == "inlineios") && ($proto == "tcp-client")) - $proto = "tcp"; - $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $devmode = empty($settings['dev_mode']) ? "tun" : $settings['dev_mode']; @@ -215,14 +203,15 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese // if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp")) // $conf .= "proto tcp-client{$nl}"; $conf .= "cipher {$cipher}{$nl}"; + $conf .= "auth {$digest}{$nl}"; $conf .= "tls-client{$nl}"; $conf .= "client{$nl}"; if (($expformat != "inlinedroid") && ($expformat != "inlineios")) $conf .= "resolv-retry infinite{$nl}"; - $conf .= "remote {$server_host} {$server_port} {$proto}{$nl}"; - if (!empty($servercn) && ($expformat != "inlineios")) { + $conf .= "$remotes{$nl}"; + if (!empty($servercn)) { $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "tls-remote {$qw}{$servercn}{$qw}{$nl}"; + $conf .= "verify-x509-name {$qw}{$servercn}{$qw} name{$nl}"; } if (!empty($proxy)) { @@ -309,8 +298,13 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // add optional settings - if ($settings['compression']) - $conf .= "comp-lzo{$nl}"; + if (!empty($settings['compression'])) { + if ($pfs_version > 2.1) + $conf .= "comp-lzo {$settings['compression']}{$nl}"; + else + $conf .= "comp-lzo{$nl}"; + } + if ($settings['passtos']) $conf .= "passtos{$nl}"; @@ -731,6 +725,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp-client"); $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $conf = "dev tun\n"; @@ -741,6 +736,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; + $conf .= "auth {$digest}\n"; $conf .= "pull\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; @@ -811,4 +807,111 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco return $conf; } +function openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl) { + global $config; + $remotes = array(); + if (($useaddr == "serveraddr") || ($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $interface = $settings['interface']; + if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { + $server_host = $settings['ipaddr']; + } else { + if (!$interface || ($interface == "any")) + $interface = "wan"; + $server_host = get_interface_ip($interface); + } + } else if ($useaddr == "serverhostname" || empty($useaddr)) { + $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; + $server_host .= "{$config['system']['domain']}"; + } else + $server_host = $useaddr; + + $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); + if (($expformat == "inlineios") && ($proto == "tcp-client")) + $proto = "tcp"; + + if (($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $destinations = openvpn_client_export_find_port_forwards($server_host, $settings['local_port'], $proto, true, ($useaddr == "servermagichost")); + foreach ($destinations as $dest) { + $remotes[] = "remote {$dest['host']} {$dest['port']} {$dest['proto']}"; + } + } else { + $remotes[] = "remote {$server_host} {$settings['local_port']} {$proto}"; + } + + return implode($nl, $remotes); +} + +function openvpn_client_export_find_port_forwards($targetip, $targetport, $targetproto, $skipprivate, $findhostname=false) { + global $config, $FilterIflist; + if (empty($FilterIflist)) + filter_generate_optcfg_array(); + $destinations = array(); + + foreach ($config['nat']['rule'] as $natent) { + $dest = array(); + if (!isset($natent['disabled']) + && ($natent['target'] == $targetip) + && ($natent['local-port'] == $targetport) + && ($natent['protocol'] == $targetproto)) { + $dest['proto'] = $natent['protocol']; + + // Could be multiple ports... But we can only use one. + $dports = is_port($natent['destination']['port']) ? array($natent['destination']['port']) : filter_expand_alias_array($natent['destination']['port']); + $dest['port'] = $dports[0]; + + // Could be network or address ... + $natif = (!$natent['interface']) ? "wan" : $natent['interface']; + + if (!isset($FilterIflist[$natif])) + continue; // Skip if there is no interface + + $dstaddr = trim(filter_generate_address($natent, 'destination', true)); + if(!$dstaddr) + $dstaddr = $FilterIflist[$natif]['ip']; + + $dstaddr_port = explode(" ", $dstaddr); + + if(empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port") + continue; // Skip port forward if no destination address found + + + if (!is_ipaddr($dstaddr_port[0])) + continue; // We can only work with single IPs, not subnets! + + + if ($skipprivate && is_private_ip($dstaddr_port[0])) + continue; // Skipping a private IP destination! + + $dest['host'] = $dstaddr_port[0]; + + if ($findhostname) { + $hostname = openvpn_client_export_find_hostname($natif); + if (!empty($hostname)) + $dest['host'] = $hostname; + } + + $destinations[] = $dest; + } + } + + return $destinations; +} + +function openvpn_client_export_find_hostname($interface) { + global $config; + $hostname = ""; + if (is_array($config['dyndnses']['dyndns'])) { + foreach ($config['dyndnses']['dyndns'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + if (is_array($config['dnsupdates']['dnsupdate'])) { + foreach ($config['dnsupdates']['dnsupdate'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + +} ?> diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index f90ac2cf..a1c263f1 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.0.11</version> + <version>1.1.3</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index c2a54432..ad6c65da 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -597,6 +597,8 @@ function useproxy_changed(obj) { <td> <select name="useaddr" id="useaddr" class="formselect" onchange="useaddr_changed(this)"> <option value="serveraddr" >Interface IP Address</option> + <option value="servermagic" >Automagic Multi-WAN IPs (port forward targets)</option> + <option value="servermagichost" >Automagic Multi-WAN DDNS Hostnames (port forward targets)</option> <option value="serverhostname" >Installation hostname</option> <?php if (is_array($config['dyndnses']['dyndns'])): ?> <?php foreach ($config['dyndnses']['dyndns'] as $ddns): ?> diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 97abc138..59b7eb11 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -33,8 +33,20 @@ /* ========================================================================== */ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0){ + + // Function to get squidGuard directory + // each squidGuard version has a different directory + function getsqGuardDir() { + foreach (glob("/usr/pbi/*",GLOB_ONLYDIR) as $dirname) { + if (preg_match("/squidguard-/i", $dirname)) { + return trim($dirname); + break; + } + } + } + define('SARG_DIR', '/usr/pbi/sarg-' . php_uname("m")); - define('SQGARD_DIR','/usr/pbi/squidguard-' . php_uname("m")); + define('SQGARD_DIR', getsqGuardDir()); define('SQUID_DIR', '/usr/pbi/squid-' . php_uname("m")); define('DANSG_DIR', '/usr/pbi/dansguardian-' . php_uname("m")); } @@ -142,7 +154,7 @@ EOF; } #create a new file to speedup find search file_put_contents("/root/sarg_run_{$id}.sh",$gzip_script,LOCK_EX); - mwexec($cmd. " ".$args); + mwexec("export LC_ALL=C && " .$cmd. " ".$args); #check if there is a script to run after file save if (is_array($config['installedpackages']['sarg'])) switch ($config['installedpackages']['sarg']['config'][0]['proxy_server']){ @@ -248,7 +260,7 @@ function sync_package_sarg() { $anonymous_output_files=(preg_match('/anonymous_output_files/',$sarg['report_options'])?"yes":"no"); $resolve_ip=(preg_match('/resolve_ip/',$sarg['report_options'])?"yes":"no"); $user_ip=(preg_match('/user_ip/',$sarg['report_options'])?"yes":"no"); - $sort_order=(preg_match('/user_sort_field_order/',$sarg['report_options'])?"REVERSE":"NORMAL"); + $sort_order=(preg_match('/user_sort_field_order/',$sarg['report_options'])?"reverse":"normal"); $remove_temp_files=(preg_match('/remove_temp_files/',$sarg['report_options'])?"yes":"no"); $main_index=(preg_match('/main_index/',$sarg['report_options'])?"yes":"no"); $index_tree=(preg_match('/index_tree/',$sarg['report_options'])?"file":"date"); diff --git a/config/sarg/sarg_frame.php b/config/sarg/sarg_frame.php index 4d3421ab..21638247 100755 --- a/config/sarg/sarg_frame.php +++ b/config/sarg/sarg_frame.php @@ -68,9 +68,11 @@ if ($report != "" ) #look for graph files inside reports. if (preg_match_all('/img src="([a-zA-Z0-9._-]+).png/',$report,$images)){ + conf_mount_rw(); for ($x=0;$x<count($images[1]);$x++){ copy("{$dir}/{$prefix}/{$images[1][$x]}.png","/usr/local/www/sarg-images/temp/{$images[1][$x]}.{$rand}.png"); } + conf_mount_ro(); } print preg_replace($pattern,$replace,$report); } diff --git a/config/sarg/sarg_reports.php b/config/sarg/sarg_reports.php index b1792312..b156a4d7 100755 --- a/config/sarg/sarg_reports.php +++ b/config/sarg/sarg_reports.php @@ -61,7 +61,9 @@ require("guiconfig.inc"); $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=sarg_sync.xml&id=0"); $tab_array[] = array(gettext("Help"), false, "/pkg_edit.php?xml=sarg_about.php"); display_top_tabs($tab_array); + conf_mount_rw(); exec('rm -f /usr/local/www/sarg-images/temp/*'); + conf_mount_ro(); ?> </td></tr> <tr> diff --git a/config/sarg/sarg_schedule.xml b/config/sarg/sarg_schedule.xml index 0c452335..9e1ad709 100644 --- a/config/sarg/sarg_schedule.xml +++ b/config/sarg/sarg_schedule.xml @@ -141,8 +141,11 @@ <fielddescr>Sarg args</fielddescr> <fieldname>args</fieldname> <description><![CDATA[Enter sarg extra args to run on this schedule.<br> - To force sarg to create a report only from current day, use:<br> - <strong>-d `date +%d/%m/%Y`-`date +%d/%m/%Y`</strong>]]></description> + To force sarg to create a report only for specific days, use:<br> + <b>TODAY:</b> -d `date +%d/%m/%Y`<br> + <b>YESTERDAY:</b> -d `date -v-1d +%d/%m/%Y`<br> + <b>WEEKAGO:</b> -d `date -v-1w +%d/%m/%Y`- `date -v-1d +%d/%m/%Y`<br> + <b>MONTHAGO:</b> -d `date -v-1m +01/%m/%Y`-`date -v-1m +31/%m/%Y`]]></description> <type>input</type> <size>50</size> </field> diff --git a/config/sm.php b/config/sm.php new file mode 100644 index 00000000..2e1cc4a0 --- /dev/null +++ b/config/sm.php @@ -0,0 +1,42 @@ +#!/usr/local/bin/php -q +<?php +require_once("config.inc"); +require_once("globals.inc"); +require_once("notices.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if (($pf_version < 2.1)) { + $error = "Sending e-mail on this version of pfSense is not supported. Please use pfSense 2.1 or later"; + log_error($error); + echo "{$error}\n"; + return; +} + +$options = getopt("s::"); + +$message = ""; + +if($options['s'] <> "") { + $subject = $options['s']; +} + + +$in = file("php://stdin"); +foreach($in as $line){ + $line = trim($line); + if ( (substr($line, 0, 6) == "From: ") + || (substr($line, 0, 6) == "Date: ") + || (substr($line, 0, 4) == "To: ")) + continue; + if (empty($subject) && (substr($line, 0, 9) == "Subject: ")) { + $subject = substr($line, 9); + continue; + } + $message .= "$line\n"; +} + +if (!empty($subject)) + send_smtp_message($message, $subject); +else + send_smtp_message($message); +?>
\ No newline at end of file diff --git a/config/snort/snort.inc b/config/snort/snort.inc index d69f6237..98b80d66 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -47,7 +47,7 @@ global $rebuild_rules; /* package version */ $snort_version = "2.9.4.6"; -$pfSense_snort_version = "2.6.0"; +$pfSense_snort_version = "2.6.1"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -67,12 +67,9 @@ else { /* Define some useful constants for Snort */ define("SNORTLOGDIR", "/var/log/snort"); -define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); -define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); -define("ET_VERSION", "2.9.0"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); -define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); @@ -83,81 +80,6 @@ $rebuild_rules = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); -function snort_get_alias_value($alias) { - /***************************************************/ - /* This function returns the value of the passed */ - /* Alias, or an empty string if the value cannot */ - /* be determined. */ - /* */ - /* On Entry: $alias ==> Alias to be evaluated */ - /* Returns: Alias value as a string or an empty */ - /* string */ - /***************************************************/ - - global $config; - - $entries = array(); - $tmp = ""; - - // If no Aliases are defined in the configuration, - // return an empty string. - if (empty($config['aliases'])) - return $tmp; - - // See if we were passed a valid Alias and return - // an empty string if not. - if (!is_alias($alias)) - return $tmp; - - // We have a valid Alias, so find its value or - // values and return as a string. - return snort_unpack_alias($alias); -} - -function snort_unpack_alias($alias) { - - /**************************************************/ - /* This function unpacks an Alias to determine */ - /* the actual values it represents. Any nested */ - /* Aliases encountered are also unpacked via */ - /* recursive calls to this function. */ - /* */ - /* Fully-qualified-domain-name (FQDN) aliases */ - /* are detected and resolved via a pfctl() call. */ - /**************************************************/ - - global $config; - $value = ""; - - // Find the matching Alias entry in config - foreach ($config['aliases']['alias'] as $aliased) { - if($aliased['name'] == $alias) { - $addr = array(); - $addr = explode(" ", trim($aliased['address'])); - foreach ($addr as $a) { - if (!is_alias($a) && !empty($a)) { - if (is_ipaddr($a) || is_subnet($a) || is_port($a)) - // If address, subnet or port, we found the final value - $value .= $a . " "; - elseif (is_hostname($a)) { - // Found a FQDN value for this Alias, so resolve it - $entries = array(); - exec("/sbin/pfctl -t " . escapeshellarg($alias) . " -T show", $entries); - $value .= trim(implode(" ", $entries)); - } - else - continue; - } - elseif (is_alias($a)) - // Found a nested Alias, so recursively resolve it - $value .= snort_unpack_alias($a) . " "; - } - return trim($value); - } - } - return $value; -} - function snort_is_single_addr_alias($alias) { /***************************************************/ /* This function evaluates the passed Alias to */ @@ -172,12 +94,50 @@ function snort_is_single_addr_alias($alias) { /***************************************************/ /* If spaces in expanded Alias, it's not a single entity */ - if (strpos(snort_get_alias_value($alias), " ") !== false) + if (strpos(trim(filter_expand_alias($alias)), " ") !== false) return false; else return true; } +function snort_expand_port_range($ports) { + /**************************************************/ + /* This function examines the passed ports string */ + /* and expands any embedded port ranges into the */ + /* individual ports separated by commas. A port */ + /* range is indicated by a colon in the string. */ + /* */ + /* On Entry: $ports ==> string to be evaluated */ + /* with commas separating */ + /* the port values. */ + /* Returns: string with any encountered port */ + /* ranges expanded. */ + /**************************************************/ + + $value = ""; + + // Split the incoming string on the commas + $tmp = explode(",", $ports); + + // Look for any included port range and expand it + foreach ($tmp as $val) { + if (is_portrange($val)) { + $start = strtok($val, ":"); + $end = strtok(":"); + if ($end !== false) { + $val = $start . ","; + for ($i = intval($start) + 1; $i < intval($end); $i++) + $val .= strval($i) . ","; + $val .= $end; + } + } + $value .= $val . ","; + } + + // Remove any trailing comma in return value + return trim($value, ","); +} + function snort_get_blocked_ips() { $blocked_ips = ""; exec('/sbin/pfctl -t snort2c -T show', $blocked_ips); @@ -359,7 +319,7 @@ function snort_build_list($snortcfg, $listname = "", $whitelist = false) { $vips = $list['vips']; $vpns = $list['vpnips']; if (!empty($list['address']) && is_alias($list['address'])) { - $home_net = explode(" ", trim(snort_get_alias_value($list['address']))); + $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } } @@ -2701,7 +2661,7 @@ function snort_generate_conf($snortcfg) { $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = snort_get_alias_value($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } @@ -2749,7 +2709,7 @@ EOD; $http_inspect_server_opts .= " \\\n\tlog_hostname"; } - $http_ports = str_replace(",", " ", $snort_ports['http_ports']); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); /* def http_inspect */ $http_inspect = <<<EOD @@ -2766,8 +2726,8 @@ preprocessor http_inspect_server: server default profile {$http_server_profile} EOD; /* def ftp_preprocessor */ - $telnet_ports = str_replace(",", " ", $snort_ports['telnet_ports']); - $ftp_ports = str_replace(",", " ", $snort_ports['ftp_ports']); + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); $ftp_preprocessor = <<<EOD # ftp_telnet preprocessor # preprocessor ftp_telnet: global \ @@ -2818,7 +2778,7 @@ preprocessor ftp_telnet_protocol: ftp client default \ EOD; - $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); $pop_preproc = <<<EOD # POP preprocessor # preprocessor pop: \ @@ -2830,7 +2790,7 @@ preprocessor pop: \ EOD; - $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); + $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); $imap_preproc = <<<EOD # IMAP preprocessor # preprocessor imap: \ @@ -2842,7 +2802,7 @@ preprocessor imap: \ EOD; - $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); + $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD # SMTP preprocessor # @@ -2894,7 +2854,7 @@ EOD; $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; $sf_pscan_ignore_scanners = "\$HOME_NET"; if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { - $sf_pscan_ignore_scanners = snort_get_alias_value($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); } @@ -2909,7 +2869,7 @@ preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ EOD; /* def ssh_preproc */ - $ssh_ports = str_replace(",", " ", $snort_ports['ssh_ports']); + $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); $ssh_preproc = <<<EOD # SSH preprocessor # preprocessor ssh: server_ports { {$ssh_ports} } \ @@ -2923,7 +2883,7 @@ preprocessor ssh: server_ports { {$ssh_ports} } \ EOD; /* def other_preprocs */ - $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']); + $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); $other_preprocs = <<<EOD # Other preprocs # preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete @@ -2944,7 +2904,7 @@ preprocessor dcerpc2_server: default, policy WinXP, \ EOD; - $sip_ports = str_replace(",", " ", $snort_ports['sip_ports']); + $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); $sip_preproc = <<<EOD # SIP preprocessor # preprocessor sip: max_sessions 40000, \ @@ -2982,7 +2942,7 @@ preprocessor sip: max_sessions 40000, \ EOD; - $dns_ports = str_replace(",", " ", $snort_ports['dns_ports']); + $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD # DNS preprocessor # @@ -2993,7 +2953,7 @@ preprocessor dns: \ EOD; /* def dnp3_preprocessor */ - $dnp3_ports = str_replace(",", " ", $snort_ports['DNP3_PORTS']); + $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); $dnp3_preproc = <<<EOD # DNP3 preprocessor # preprocessor dnp3: \ @@ -3004,7 +2964,7 @@ preprocessor dnp3: \ EOD; /* def modbus_preprocessor */ - $modbus_ports = str_replace(",", " ", $snort_ports['MODBUS_PORTS']); + $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); $modbus_preproc = <<<EOD # Modbus preprocessor # preprocessor modbus: \ @@ -3013,7 +2973,7 @@ preprocessor modbus: \ EOD; /* def gtp_preprocessor */ - $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); $gtp_preproc = <<<EOD # GTP preprocessor # preprocessor gtp: ports { {$gtp_ports} } @@ -3021,7 +2981,7 @@ preprocessor gtp: ports { {$gtp_ports} } EOD; /* def ssl_preprocessor */ - $ssl_ports = str_replace(",", " ", $snort_ports['ssl_ports']); + $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); $ssl_preproc = <<<EOD # SSL preprocessor # preprocessor ssl: \ @@ -3058,8 +3018,8 @@ EOD; $vardef = ""; foreach ($snort_servers as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = snort_get_alias_value($snortcfg["def_{$alias}"]); - $avalue = str_replace(" ", ",", trim($avalue)); + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); } $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; } diff --git a/config/snort/snort.xml b/config/snort/snort.xml index 3d4c8016..49bec61c 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> <version>2.9.4.6</version> - <title>Services:2.9.4.6 pkg v. 2.6.0</title> + <title>Services:2.9.4.6 pkg v. 2.6.1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 0295ed2f..728de751 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -171,7 +171,7 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_GET['todelete']; if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); - $savemsg = "Host IP address {$ip} has been removed from the Blocked Table."; + $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); } } @@ -183,7 +183,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } @@ -208,7 +208,7 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); else /* We did not find the defined list, so notify the user with an error */ $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); @@ -221,8 +221,7 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($fd) fclose($fd); conf_mount_ro(); - /* XXX: This is needed is snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + /* XXX: This is needed if snort is run as snort user */ mwexec('/bin/chmod 660 /var/log/snort/*', true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); @@ -233,22 +232,28 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort/snort_{$if_real}{$snort_uuid}"); + exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); if (file_exists("/tmp/{$file_name}")) { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); + header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); + ob_end_clean(); //important or other post will fail + readfile("/tmp/{$file_name}"); + + // Clean up the temp file @unlink("/tmp/{$file_name}"); } - header("Location: /snort/snort_alerts.php?instance={$instanceid}"); - exit; + else + $savemsg = gettext("An error occurred while creating archive"); } /* Load up an array with the current Suppression List GID,SID values */ diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index a81b03d7..983e8905 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -67,7 +67,6 @@ if ($_POST['download']) exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); /* build the list */ if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) { - ob_start(); //important or other posts will fail $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_blocked_{$save_date}.tar.gz"; exec('/bin/mkdir -p /tmp/snort_blocked'); @@ -79,24 +78,32 @@ if ($_POST['download']) file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); } - exec("/usr/bin/tar cf /tmp/{$file_name} /tmp/snort_blocked"); + // Create a tar gzip archive of blocked host IP addresses + exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/snort_blocked snort_block.pf"); + // If we successfully created the archive, send it to the browser. if(file_exists("/tmp/{$file_name}")) { - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); + ob_end_clean(); //important or other post will fail readfile("/tmp/{$file_name}"); - ob_end_clean(); //importanr or other post will fail + + // Clean up the temp files and directory @unlink("/tmp/{$file_name}"); exec("/bin/rm -fr /tmp/snort_blocked"); } else - $savemsg = "An error occurred while creating archive"; + $savemsg = gettext("An error occurred while creating archive"); } else - $savemsg = "No content on snort block list"; + $savemsg = gettext("No content on snort block list"); } if ($_POST['save']) diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index 30da4b74..e7263330 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -35,29 +35,25 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; - -if (!defined("VRT_DNLD_FILENAME")) - define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/"); +if (!defined("ETPRO_BASE_DNLD_URL")) + define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); if (!defined("ET_DNLD_FILENAME")) define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("ETPRO_DNLD_FILENAME")) + define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); if (!defined("GPLV2_DNLD_FILENAME")) define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); -if (!defined("FLOWBITS_FILENAME")) - define("FLOWBITS_FILENAME", "flowbit-required.rules"); -if (!defined("ENFORCING_RULES_FILENAME")) - define("ENFORCING_RULES_FILENAME", "snort.rules"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); - $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; @@ -72,8 +68,10 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$etproid = $config['installedpackages']['snortglobal']['etpro_code']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; @@ -81,19 +79,39 @@ $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; /* Working directory for downloaded rules tarballs */ $tmpfname = "{$snortdir}/tmp/snort_rules_up"; -/* Snort VRT rules filenames and URL */ -$snort_filename = VRT_DNLD_FILENAME; -$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +/* Grab the Snort binary version programmatically and use it to construct */ +/* the proper Snort VRT rules tarball and md5 filenames. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +// Save the version with decimal delimiters for use in extracting the rules +$snort_version = $snortver[0]; +// Create a collapsed version string for use in the tarball filename +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +$snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL; -/* Emerging Threats rules filenames and URL */ -$emergingthreats_filename = ET_DNLD_FILENAME; -$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; -$emerging_threats_version = ET_VERSION; -$emergingthreats_url = ET_BASE_DNLD_URL; -// If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules -$emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; -$emergingthreats_url .= "snort-" . ET_VERSION . "/"; +/* Set up Emerging Threats rules filenames and URL */ +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ETPRO_BASE_DNLD_URL; + $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; + $emergingthreats = "on"; + $et_name = "Emerging Threats Pro"; + $et_md5_remove = ET_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ET_BASE_DNLD_URL; + // If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules + $emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; + $emergingthreats_url .= "snort-" . ET_VERSION . "/"; + $et_name = "Emerging Threats Open"; + $et_md5_remove = ETPRO_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} /* Snort GPLv2 Community Rules filenames and URL */ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; @@ -112,7 +130,13 @@ function snort_download_file_url($url, $file_out) { /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + + // Initialize required variables for pfSense "read_body()" function + $file_size = 1; + $downloaded = 1; + $first_progress_update = TRUE; + /* Array of message strings for HTTP Response Codes */ $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", @@ -418,34 +442,34 @@ if ($snortcommunityrules == 'on') { /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { if ($pkg_interface <> "console") - update_status(gettext("Downloading EmergingThreats md5 file...")); - error_log(gettext("\tDownloading EmergingThreats md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); + update_status(gettext("Downloading {$et_name} md5 file...")); + error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); if ($rc === true) { if ($pkg_interface <> "console") - update_status(gettext("Done downloading EmergingThreats md5 file {$emergingthreats_filename_md5}")); - error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); + update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}")); + error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log); if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { /* Check if were up to date emergingthreats.net */ $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { if ($pkg_interface <> "console") - update_status(gettext("Emerging Threats rules are up to date...")); - log_error(gettext("[Snort] Emerging Threat rules are up to date...")); - error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); + update_status(gettext("{$et_name} rules are up to date...")); + log_error(gettext("[Snort] {$et_name} rules are up to date...")); + error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } } else { if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated.")); + log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } @@ -453,9 +477,9 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { if ($pkg_interface <> "console") - update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading {$emergingthreats_filename}...")); - log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of EmergingThreats rules posted.\n"), 3, $snort_rules_upd_log); + update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}...")); + log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); @@ -463,29 +487,29 @@ if ($emergingthreats == "on") { if ($rc === true) { if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); + update_output_window(gettext("{$et_name} rules file MD5 checksum failed...")); + log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } else { if ($pkg_interface <> "console") - update_status(gettext('Done downloading EmergingThreats rules file.')); - log_error("[Snort] EmergingThreats rules file update downloaded successfully"); - error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + update_status(gettext('Done downloading {$et_name} rules file.')); + log_error("[Snort] {$et_name} rules file update downloaded successfully"); + error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log); } } else { if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping EmergingThreats update...")); - update_output_window(gettext("EmergingThreats rules file download failed...")); + update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update...")); + update_output_window(gettext("{$et_name} rules file download failed...")); } - log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; @@ -497,22 +521,34 @@ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { - update_status(gettext("Extracting EmergingThreats.org rules...")); - update_output_window(gettext("Installing EmergingThreats rules...")); + update_status(gettext("Extracting {$et_name} rules...")); + update_output_window(gettext("Installing {$et_name} rules...")); } - error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + /* Remove the old Emerging Threats rules files */ + array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt")); + $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/emerging-{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -527,10 +563,10 @@ if ($emergingthreats == 'on') { @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } if ($pkg_interface <> "console") { - update_status(gettext("Extraction of EmergingThreats.org rules completed...")); - update_output_window(gettext("Installation of EmergingThreats rules completed...")); + update_status(gettext("Extraction of {$et_name} rules completed...")); + update_output_window(gettext("Installation of {$et_name} rules completed...")); } - error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/emerging"); } } @@ -544,6 +580,9 @@ if ($snortdownload == 'on') { if (substr(php_uname("r"), 0, 1) == '9') $freebsd_version_so = 'FreeBSD-9-0'; + /* Remove the old Snort rules files */ + array_map('unlink', glob("{$snortdir}/rules/snort_*.rules")); + if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); update_output_window(gettext("Installing Sourcefire VRT rules...")); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 2a6d47ff..ca549820 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -203,15 +203,18 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> <td width="78%" class="vtable"> <input name="def_<?=$key;?>" size="40" type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/><?php echo gettext("Leave " . "blank for default value."); ?></span> </td> @@ -226,14 +229,17 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> <td width="78%" class="vtable"> <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " . "blank for default value."); ?></span> </td> @@ -262,6 +268,9 @@ if ($savemsg) if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 1f87fbbc..09ab646a 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -40,8 +40,14 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortdir = SNORTDIR; $snort_rules_upd_log = RULES_UPD_LOGFILE; $log = $snort_rules_upd_log; -$snort_rules_file = VRT_DNLD_FILENAME; -$emergingthreats_filename = ET_DNLD_FILENAME; + +/* Grab the Snort binary version programmatically and */ +/* use it to construct the proper Snort VRT rules */ +/* tarball filename. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +//$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ @@ -49,8 +55,18 @@ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $et_name = "EMERGING THREATS PRO RULES"; +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $et_name = "EMERGING THREATS RULES"; +} + /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) @@ -138,9 +154,9 @@ h += 96; <p style="text-align: left; margin-left: 225px;"> <font color="#777777" size="2.5px"> <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/><br/> - <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> + <font color="#FF850A" size="1px"><b>SNORT VRT RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br/> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> + <font color="#FF850A" size="1px"><b><?=$et_name;?> --></b></font> <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br/> <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br/> @@ -160,7 +176,7 @@ h += 96; <?php - if ($snortdownload != 'on' && $emergingthreats != 'on') { + if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on') { echo ' <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index d28ec2b4..089255b6 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -44,7 +44,9 @@ $snortdir = SNORTDIR; /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code']; $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; @@ -63,14 +65,22 @@ if ($_POST['rule_update_starttime']) { $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; } +if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode'])) + $input_errors[] = "You must supply an Oinkmaster code in the box provided in order to enable Snort VRT rules!"; + +if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) + $input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!"; + /* if no errors move foward */ if (!$input_errors) { if ($_POST["Submit"]) { - $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { @@ -160,19 +170,14 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" - <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> - <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> - </tr> - <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <td><input name="snortdownload" type="checkbox" id="snortdownload" value="on" onclick="enable_snort_vrt();" <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> - <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> + <td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td> <tr> <td> </td> - <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br> <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> - <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> + <?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td> </tr> <tr> <td colspan="2"> </td> @@ -180,17 +185,17 @@ if ($input_errors) </table> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td> </tr> <tr> - <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?></strong></span></td> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> <td><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> </tr> - </table> + </table> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . @@ -198,7 +203,7 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> @@ -212,11 +217,41 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> - <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . - "moving and diverse Snort Rules."); ?></span></td> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="on" onclick="enable_et_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " . + "is more limited than ETPro."); ?></span></td> + </tr> + <tr> + <td valign="top" width="8%"><input name="emergingthreats_pro" type="checkbox" value="on" onclick="enable_etpro_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats_pro']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td> </tr> + <tr> + <td> </td> + <td><a href="http://www.emergingthreats.net/solutions/etpro-ruleset/" target="_blank"><?php echo gettext("Sign Up for an ETPro Account"); ?> </a></td> + </tr> + <tr> + <td> </td> + <td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . " " . + gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td> + </tr> + <tr> + <td colspan="2"> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td> + </tr> + <tr> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> + <td><input name="etpro_code" type="text" + class="formfld" id="etpro_code" size="52" + value="<?=htmlspecialchars($pconfig['etpro_code']);?>" + <?php if($pconfig['emergingthreats_pro']<>'on') echo 'disabled'; ?>><br> + <?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td> + </tr> </table> </td> </tr> @@ -330,13 +365,28 @@ if ($input_errors) <script language="JavaScript"> <!-- -function enable_snort_vrt(btn) { - if (btn == 'off') { - document.iform.oinkmastercode.disabled = "true"; +function enable_snort_vrt() { + var endis = !(document.iform.snortdownload.checked); + document.iform.oinkmastercode.disabled = endis; + document.iform.etpro_code.disabled = endis; +} + +function enable_et_rules() { + var endis = document.iform.emergingthreats.checked; + if (endis) { + document.iform.emergingthreats_pro.checked = !(endis); + document.iform.etpro_code.disabled = "true"; } - if (btn == 'on') { - document.iform.oinkmastercode.disabled = ""; - } +} + +function enable_etpro_rules() { + var endis = document.iform.emergingthreats_pro.checked; + if (endis) { + document.iform.emergingthreats.checked = !(endis); + document.iform.etpro_code.disabled = ""; + } + else + document.iform.etpro_code.disabled = "true"; } function enable_change_rules_upd() { diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index fc157375..671fa4e5 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -261,7 +261,7 @@ if ($savemsg) <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> - <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> + <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" title="<?=trim(filter_expand_alias($pconfig['address']));?>"/> </td> </tr> <tr> @@ -287,6 +287,9 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; + // Skip any Alias that resolves to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 6c839846..95d5a10e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -1161,8 +1161,8 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> <td width="78%" class="vtable"> - <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" - value="<?=$pconfig['pscan_ignore_scanners'];?>"> <?php echo gettext("Leave blank for default. ") . + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>"> <?php echo gettext("Leave blank for default. ") . gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> </td> @@ -1315,6 +1315,8 @@ include_once("head.inc"); if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index c9d90597..c9852597 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file, $rebuild_rules; +global $g, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); @@ -106,6 +106,7 @@ function add_title_attribute($tag, $title) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; $categories = explode("||", $pconfig['rulesets']); @@ -117,7 +118,7 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -if (empty($categories[0]) && ($currentruleset != "custom.rules")) { +if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { if (!empty($a_rule[$id]['ips_policy'])) $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); else @@ -133,6 +134,9 @@ $ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. + // If it is the auto-flowbits file, set the full path. + if ($currentruleset == "Auto-Flowbit Rules") + $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; // Test for the special case of an IPS Policy file. if (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); @@ -193,8 +197,6 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { write_config(); $_GET['openruleset'] = $currentruleset; -// header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); -// exit; $anchor = "rule_{$sid}"; } @@ -334,7 +336,7 @@ if ($_POST['customrules']) { $rebuild_rules = false; $output = ""; $retcode = ""; - exec("snort -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -T 2>&1", $output, $retcode); + exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); if (intval($retcode) != 0) { $error = ""; $start = count($output); @@ -436,6 +438,8 @@ if ($savemsg) { $files = explode("||", $pconfig['rulesets']); if ($a_rule[$id]['ips_policy_enable'] == 'on') $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + if ($a_rule[$id]['autoflowbitrules'] == 'on') + $files[] = "Auto-Flowbit Rules"; natcasesort($files); foreach ($files as $value) { if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") @@ -517,6 +521,17 @@ if ($savemsg) { title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?> <?php echo gettext("Enable all rules in the current Category"); ?></td> </tr> + <?php if ($currentruleset == 'Auto-Flowbit Rules'): ?> + <tr> + <td colspan="3"> </td> + </tr> + <tr> + <td colspan="3" class="vexpl" align="center"><?php echo "<span class=\"red\"><b>" . gettext("WARNING: ") . "</b></span>" . + gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") . + "<a href='snort_rules_flowbits.php?id={$id}' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" . + gettext("clicking here") . ".</a>";?></td> + </tr> + <?php endif;?> </table> </td> </tr> @@ -564,27 +579,32 @@ if ($savemsg) { foreach ($rulem as $k2 => $v) { $sid = snort_get_sid($v['rule']); $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_reject_d.gif"; $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); } elseif (isset($enablesid[$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; $iconb = "icon_block.gif"; $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); } // Pick off the first section of the rule (prior to the start of the MSG field), @@ -611,7 +631,7 @@ if ($savemsg) { <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" - title='" . gettext("Click to toggle enabled/disabled state") . "'></a> + title='{$title}'></a> $textse </td> <td class=\"listlr\" align=\"center\"> @@ -638,8 +658,8 @@ if ($savemsg) { ?> <td align="right" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> </td> </tr> diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index a1f45c07..c0087464 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -37,7 +37,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $flowbit_rules_file; +$flowbit_rules_file = FLOWBITS_FILENAME; $snortdir = SNORTDIR; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { @@ -60,10 +60,17 @@ if (isset($id) && $a_rule[$id]) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $file = $_GET['openruleset']; $contents = ''; $wrap_flag = "off"; +// Correct displayed file title if necessary +if ($file == "Auto-Flowbit Rules") + $displayfile = FLOWBITS_FILENAME; +else + $displayfile = $file; + // Read the contents of the argument passed to us. // It may be an IPS policy string, an individual SID, // a standard rules file, or a complete file name. @@ -87,13 +94,18 @@ if (substr($file, 0, 10) == "IPS Policy") { } // Is it a SID to load the rule text from? elseif (isset($_GET['ids'])) { - $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); + // If flowbit rule, point to interface-specific file + if ($file == "Auto-Flowbit Rules") + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + else + $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; $wrap_flag = "soft"; } + // Is it our special flowbit rules file? -elseif ($file == $flowbit_rules_file) - $contents = file_get_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); +elseif ($file == "Auto-Flowbit Rules") + $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); @@ -101,10 +113,8 @@ elseif (file_exists("{$snortdir}/rules/{$file}")) elseif (file_exists($file)) $contents = file_get_contents($file); // It is not something we can display, so exit. -else { - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$file}"); - exit; -} +else + $input_errors[] = gettext("Unable to open file: {$displayfile}"); $pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> @@ -128,7 +138,7 @@ $pgtitle = array(gettext("Snort"), gettext("File Viewer")); <input type="button" class="formbtn" value="Return" onclick="window.close()"> </td> <td align="right"> - <b><?php echo gettext("Rules File: ") . '</b> ' . $file; ?> + <b><?php echo gettext("Rules File: ") . '</b> ' . $displayfile; ?> </td> </tr> <tr> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 7a653af8..92330ebf 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -50,6 +50,21 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; +// Set who called us so we can return to the correct page with +// the RETURN button. We will just trust this User-Agent supplied +// string for now. +session_start(); +if(!isset($_SESSION['org_referer'])) + $_SESSION['org_referer'] = $_SERVER['HTTP_REFERER']; +$referrer = $_SESSION['org_referer']; + +if ($_POST['cancel']) { + unset($_SESSION['org_referer']); + session_write_close(); + header("Location: {$referrer}"); + exit; +} + $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -88,14 +103,15 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { $s_list = array(); - $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['name'] = $a_nat[$id]['interface'] . "suppress" . "_" . $s_list['uuid']; + $s_list['descr'] = "Auto-generated list for Alert suppression"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_nat[$id]['suppresslistname'] = $s_list['name']; $found_list = true; } else { + /* If we get here, a Suppress List is defined for the interface so see if we can find it */ foreach ($a_suppress as $a_id => $alist) { if ($alist['name'] == $a_nat[$id]['suppresslistname']) { $found_list = true; @@ -105,6 +121,10 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $alist['suppresspassthru'] = base64_encode($tmplist); $a_suppress[$a_id] = $alist; } + else { + $alist['suppresspassthru'] = base64_encode($suppress); + $a_suppress[$a_id] = $alist; + } } } } @@ -112,7 +132,8 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ write_config(); $rebuild_rules = false; sync_snort_package_config(); - $savemsg = gettext("Wrote suppress rule for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' to the '{$a_nat[$id]['suppresslistname']}' Suppression List."); + snort_reload_config($a_nat[$id]); + $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); } else { /* We did not find the defined list, so notify the user with an error */ @@ -179,8 +200,9 @@ if ($savemsg) <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus.gif" width='12' height='12' border='0'/></td> <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> - <td rowspan="3" align="right"><input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php - echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/></td> + <td rowspan="3" align="right"><input id="cancel" name="cancel" type="submit" class="formbtn" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> + <input name="id" type="hidden" value="<?=$id;?>" /></td> </tr> <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> @@ -272,7 +294,7 @@ if ($savemsg) <?php if ($count > 20): ?> <tr> <td align="center" valign="middle"> - <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php + <input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> <input name="id" type="hidden" value="<?=$id;?>" /> </td> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 7ec0edbd..3c613f84 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -63,6 +63,7 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; $no_emerging_files = false; @@ -70,10 +71,13 @@ $no_snort_files = false; $no_community_files = false; /* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ -$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') + $test = glob("{$snortdir}/rules/emerging-*.rules"); +elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) + $test = glob("{$snortdir}/rules/etpro-*.rules"); if (empty($test)) $no_emerging_files = true; -$test = glob("{$snortdir}/rules/snort_*.rules"); +$test = glob("{$snortdir}/rules/snort*.rules"); if (empty($test)) $no_snort_files = true; if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) @@ -184,10 +188,16 @@ if ($_POST['selectall']) { } if ($emergingdownload == 'on') { - $files = glob("{$snortdir}/rules/emerging*.rules"); + $files = glob("{$snortdir}/rules/emerging-*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } + elseif ($etpro == 'on') { + $files = glob("{$snortdir}/rules/etpro-*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + if ($snortcommunitydownload == 'on') { $files = glob("{$snortdir}/rules/*_community.rules"); foreach ($files as $file) @@ -421,7 +431,10 @@ if ($savemsg) { <tr id="frheader"> <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Open Rules');?></td> + <?php elseif ($etpro == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td> <?php else: ?> <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> <?php endif; ?> @@ -446,7 +459,9 @@ if ($savemsg) { $filename = basename($filename); if (substr($filename, -5) != "rules") continue; - if (strstr($filename, "emerging") && $emergingdownload == 'on') + if (strstr($filename, "emerging-") && $emergingdownload == 'on') + $emergingrules[] = $filename; + else if (strstr($filename, "etpro-") && $etpro == 'on') $emergingrules[] = $filename; else if (strstr($filename, "snort") && $snortdownload == 'on') { if (strstr($filename, ".so.rules")) diff --git a/config/softflowd/softflowd.xml b/config/softflowd/softflowd.xml new file mode 100644 index 00000000..149631b8 --- /dev/null +++ b/config/softflowd/softflowd.xml @@ -0,0 +1,137 @@ +<packagegui> + <name>softflowd</name> + <version>0.9.8</version> + <title>softflowd: Settings</title> + <aftersaveredirect>pkg_edit.php?xml=softflowd.xml&id=0</aftersaveredirect> + <menu> + <name>softflowd</name> + <tooltiptext>Modify softflowd settings.</tooltiptext> + <section>Services</section> + <configfile>softflowd.xml</configfile> + <url>/pkg_edit.php?xml=softflowd.xml&id=0</url> + </menu> + <service> + <name>softflowd</name> + <rcfile>softflowd.sh</rcfile> + <executable>softflowd</executable> + <description>Netflow export daemon</description> + </service> + <configpath>installedpackages->package->$packagename->configuration->settings</configpath> + <fields> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>interface</fieldname> + <type>interfaces_selection</type> + <description>Pick an interface from which to collect netflow data. A separate instance of softflowd will be launched for each interface.</description> + <multiple/> + </field> + <field> + <fielddescr>Host</fielddescr> + <fieldname>host</fieldname> + <description>Specify the host to which datagrams will be sent.</description> + <type>input</type> + </field> + <field> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Enter the port to which datagrams will be sent.</description> + <type>input</type> + </field> + <field> + <fielddescr>Max Flows</fielddescr> + <fieldname>maxflows</fieldname> + <description>Specify the maximum number of flows to concurrently track before older flows are expired. Default: 8192.</description> + <type>input</type> + </field> + <field> + <fielddescr>Netflow version</fielddescr> + <fieldname>version</fieldname> + <description>Select the desired version of the NetFlow protocol.</description> + <type>select</type> + <options> + <option> + <name>9</name> + <value>9</value> + </option> + <option> + <name>5</name> + <value>5</value> + </option> + <option> + <name>1</name> + <value>1</value> + </option> + </options> + </field> + </fields> + <custom_php_global_functions> + <![CDATA[ + function sync_package_softflowd() { + conf_mount_rw(); + config_lock(); + global $config; + $cf = $config['installedpackages']['softflowd']['config'][0]; + $interface_list = explode(",", $cf['interface']); + if (!empty($cf['host']) && !empty($interface_list)) { + $cf['host'] = is_ipaddrv6($cf['host']) ? "[{$cf['host']}]" : $cf['host']; + $start = "/usr/bin/killall -9 softflowd"; + foreach ($interface_list as $interface_friendly) { + if (empty($interface_friendly)) + continue; + $interface = get_real_interface($interface_friendly); + if (empty($interface)) + continue; + $start .= "\n\t/usr/local/sbin/softflowd "; + $start .= " -i {$interface}"; + $start .= " -n {$cf['host']}:{$cf['port']}"; + if (is_numeric($cf['maxflows'])) + $start .= " -m {$cf['maxflows']}"; + if ($cf['version'] != "") + $start .= " -v {$cf['version']}"; + $start .= " -p /var/run/softflowd.{$interface}.pid"; + $start .= " -c /var/run/softflowd.{$interface}.ctl"; + } + write_rcfile(array( + "file" => "softflowd.sh", + "start" => $start, + "stop" => "/usr/bin/killall -9 softflowd" + ) + ); + restart_service("softflowd"); + } + conf_mount_ro(); + config_unlock(); + } + + function validate_form_softflowd($post, $input_errors) { + if (($post['host'] == "") || !is_ipaddr($post['host'])) + $input_errors[] = 'You must specify a valid ip address in the \'Host\' field'; + if (($post['port'] == "") || !is_port($post['port'])) + $input_errors[] = 'You must specify a valid port number in the \'Port\' field'; + } + + function cleanup_config_softflowd() { + global $a_pkg; + $pffconf = array(); + if (is_array($a_pkg)) { + foreach($a_pkg as $cf) { + if ($cf['host'] != "") { + $pffconf = $cf; + } + } + } + $a_pkg = array(); + $a_pkg[0] = $pffconf; + } + ]]> + </custom_php_global_functions> + <custom_php_resync_config_command> + sync_package_softflowd(); + </custom_php_resync_config_command> + <custom_php_validation_command> + validate_form_softflowd($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_command_before_form> + cleanup_config_softflowd(); + </custom_php_command_before_form> +</packagegui> diff --git a/config/squid3/31/squid_reverse.xml b/config/squid3/31/squid_reverse.xml index ce09f8e7..7c25c371 100644 --- a/config/squid3/31/squid_reverse.xml +++ b/config/squid3/31/squid_reverse.xml @@ -48,7 +48,7 @@ <name>squidreverse</name> <version>none</version> <title>Proxy server: Reverse Proxy</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> @@ -354,4 +354,4 @@ <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid3/33/pkg_squid.inc b/config/squid3/33/pkg_squid.inc new file mode 100644 index 00000000..47b64e2d --- /dev/null +++ b/config/squid3/33/pkg_squid.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['squid'] = array(); +$shortcuts['squid']['main'] = "pkg_edit.php?xml=squid.xml"; +$shortcuts['squid']['log'] = "squid_monitor.php"; +$shortcuts['squid']['status'] = "status_services.php"; +$shortcuts['squid']['service'] = "squid"; + +?>
\ No newline at end of file diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 1da86847..c55160bc 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -40,7 +40,8 @@ require_once('service-utils.inc'); if(!function_exists("filter_configure")) require_once("filter.inc"); - + +$shortcut_section = "squid"; $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); @@ -155,7 +156,9 @@ function squid_install_command() { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; if (is_array($config['installedpackages']['squid']['config'])) $settingsgen = $config['installedpackages']['squid']['config'][0]; - + + if (file_exists("/usr/local/pkg/check_ip.php")) + rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php"); /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -659,7 +662,7 @@ function squid_validate_auth($post, $input_errors) { } $auth_method = $post['auth_method']; - if (($auth_method != 'none') && ($auth_method != 'local')) { + if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { $server = trim($post['auth_server']); if (empty($server)) $input_errors[] = 'The field \'Authentication server\' is required'; @@ -1633,13 +1636,22 @@ function squid_resync_auth() { $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + if ($transparent_proxy){ + if (preg_match ("/(none|cp)/",$settings['auth_method'])) + $auth_method=$settings['auth_method']; + else + $auth_method="none"; + } + else{ + $auth_method=$settings['auth_method']; + } // Allow the remaining ACLs if no authentication is set - if ($auth_method == 'none') { + if ($auth_method == 'none' || $auth_method == 'cp') { // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .="http_access deny sglog\n"; - + } + if ($auth_method == 'none' ) { $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1658,7 +1670,7 @@ function squid_resync_auth() { } // Set up the external authentication programs - $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5); $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { @@ -1674,11 +1686,17 @@ function squid_resync_auth() { $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; + case 'cp': + $conf .= "external_acl_type check_filter children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n"; + $conf .= "acl dgfilter external check_filter\n"; + $conf .= "http_access allow dgfilter\n"; + break; case 'msnt': $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } + if ($auth_method != 'cp'){ $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1686,7 +1704,7 @@ auth_param basic credentialsttl $auth_ttl minutes acl password proxy_auth REQUIRED EOD; - + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1703,13 +1721,15 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + if ($auth_method != 'cp'){ + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } } $conf .= "# Default block all to be sure\n"; @@ -1844,7 +1864,7 @@ function squid_print_javascript_auth() { $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); // No authentication for transparent proxy - if ($transparent_proxy) { + if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -1959,6 +1979,24 @@ function on_auth_method_changed() { document.iform.radius_secret.disabled = 1; document.iform.msnt_secondary.disabled = 0; break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -1975,43 +2013,51 @@ function squid_print_javascript_auth2() { } function squid_generate_rules($type) { - global $config; + global $config,$pf_version; $squid_conf = $config['installedpackages']['squid']['config'][0]; - //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/} set 1 skipto 65314/',$line)){ - $found_rule++; - $new_line =""; + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)){ + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0){ + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + } + } + else{ + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + } + $new_cp_inc .= $new_line; } - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); } - $new_cp_inc .= $new_line; - } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); - } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); - } - //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index d64aabb9..a8bc0530 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -238,7 +238,16 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid3/33/squid_log_parser.php</item> </additional_files_needed> - + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/pkg_squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/check_ip.php</item> + </additional_files_needed> <fields> <field> <name>Squid General Settings</name> diff --git a/config/squid3/33/squid_auth.xml b/config/squid3/33/squid_auth.xml index 111085a8..e71a7e8d 100755 --- a/config/squid3/33/squid_auth.xml +++ b/config/squid3/33/squid_auth.xml @@ -110,6 +110,7 @@ <option><name>Local</name><value>local</value></option> <option><name>LDAP</name><value>ldap</value></option> <option><name>RADIUS</name><value>radius</value></option> + <option><name>Captive Portal</name><value>cp</value></option> <option><name>NT domain</name><value>msnt</value></option> </options> <onchange>on_auth_method_changed()</onchange> @@ -140,16 +141,16 @@ <fieldname>auth_processes</fieldname> <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> - <size>60</size> + <size>5</size> <default_value>5</default_value> </field> <field> <fielddescr>Authentication TTL</fielddescr> <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <description>This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5.</description> <type>input</type> - <size>60</size> - <default_value>60</default_value> + <size>5</size> + <default_value>5</default_value> </field> <field> <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> @@ -193,7 +194,7 @@ <fieldname>ldap_pass</fieldname> <description>Enter here the password to use to connect to the LDAP server.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> <field> <fielddescr>LDAP base domain</fielddescr> @@ -207,7 +208,7 @@ <fieldname>ldap_userattribute</fieldname> <description>Enter LDAP username DN attibute.</description> <type>input</type> - <size>60</size> + <size>20</size> <default_value>uid</default_value> </field> <field> @@ -215,7 +216,7 @@ <fieldname>ldap_filter</fieldname> <description>Enter LDAP search filter.</description> <type>input</type> - <size>60</size> + <size>40</size> <default_value>(&(objectClass=person)(uid=%s))</default_value> </field> <field> @@ -245,7 +246,7 @@ <fieldname>radius_secret</fieldname> <description>The RADIUS secret for RADIUS authentication.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> </fields> <custom_php_validation_command> @@ -262,7 +263,7 @@ </custom_php_before_form_command> <custom_php_after_head_command> $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - if($transparent_proxy) + if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; squid_print_javascript_auth(); </custom_php_after_head_command> diff --git a/config/squid3/33/squid_monitor.php b/config/squid3/33/squid_monitor.php index 3a7b1d01..272cc9c4 100755 --- a/config/squid3/33/squid_monitor.php +++ b/config/squid3/33/squid_monitor.php @@ -43,6 +43,7 @@ if(strstr($pfSversion, "1.2")) $one_two = true; $pgtitle = "Status: Proxy Monitor"; +$shortcut_section = "squid"; include("head.inc"); ?> diff --git a/config/squid3/33/squid_reverse.xml b/config/squid3/33/squid_reverse.xml index ce09f8e7..7c25c371 100755 --- a/config/squid3/33/squid_reverse.xml +++ b/config/squid3/33/squid_reverse.xml @@ -48,7 +48,7 @@ <name>squidreverse</name> <version>none</version> <title>Proxy server: Reverse Proxy</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> @@ -354,4 +354,4 @@ <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc index ab44ae8d..5dbfcc43 100644 --- a/config/squidGuard/squidguard_configurator.inc +++ b/config/squidGuard/squidguard_configurator.inc @@ -205,6 +205,7 @@ define('SQUIDGUARD_GUILOG_LEVEL', SQUIDGUARD_INFO); # log level define('SQUIDGUARD_GUILOG_MAXCOUNT', 500); # log max lines define('SQUIDGUARD_GUILOG_ENABLE', true); # on/off gui log - option override GUI settings define('SQUIDGUARD_LOG_ENABLE', true); # on/off SG log - option override GUI settings +define('SQUIDGUARD_LOGROTATE_MAXCOUNT', 1000); # logrotate max lines # define('FLT_DEFAULT_ALL', 'all'); @@ -1920,7 +1921,8 @@ function acl_remove_blacklist_items($items) # ----------------------------------------------------------------------------- function sg_script_logrotate() { - + $lines = SQUIDGUARD_LOGROTATE_MAXCOUNT; + global $squidguard_config; $sglogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_LOGFILE; diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc index 75d5bb4d..e1b4d35e 100644 --- a/config/syslog-ng/syslog-ng.inc +++ b/config/syslog-ng/syslog-ng.inc @@ -235,7 +235,7 @@ function syslogng_get_log_files($objects) { foreach($objects as $object) { if($object['objecttype'] == 'destination') { - preg_match("/file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); + preg_match("/\bfile\b\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); if($match) { $log_file = $match[1]; array_push($log_files, $log_file); @@ -433,4 +433,4 @@ EOD; conf_mount_rw(); write_rcfile($rc); } -?>
\ No newline at end of file +?> diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index d013608c..6e55d577 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -118,7 +118,6 @@ function unbound_keys_setup() { function unbound_rc_setup() { global $config; - // Startup process and idea taken from TinyDNS package (author sullrich@gmail.com) $filename = "unbound.sh"; $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP @@ -198,7 +197,7 @@ function unbound_control($action) { case "start": //Start unbound - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { if(!is_service_running("unbound")) unbound_ctl_exec("start"); /* Link dnsmasq.pid to prevent dhcpleases logging error */ @@ -213,7 +212,7 @@ function unbound_control($action) { case "stop": //Stop unbound and unmount the file system - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); unbound_ctl_exec("stop"); } @@ -240,7 +239,9 @@ function unbound_control($action) { break; case "anchor_update": //Update the Root Trust Anchor + conf_mount_rw(); mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true); + conf_mount_ro(); break; default: break; @@ -461,15 +462,14 @@ function unbound_resync_config() { private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 -private-address: 192.254.0.0/16 +private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # Set private domains in case authorative name server returns a RFC1918 IP address EOF; - // Add private-domain options - $private_domains = unbound_add_domain_overrides(true); - + // Add private-domain options + $private_domains = unbound_add_domain_overrides(true); } //Setup optimization @@ -547,6 +547,7 @@ harden-dnssec-stripped: {$harden_dnssec_stripped} {$optimization['rrset_cache_size']} outgoing-range: 8192 {$optimization['so_rcvbuf']} +{$optimization['so_sndbuf']} # Interface IP(s) to bind to {$unbound_bind_interfaces} @@ -649,18 +650,21 @@ function unbound_optimization() { // Check that it is set to 4MB (by default the OS has it configured to 4MB) foreach ($config['sysctl']['item'] as $tunable) { if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') { - $so = floor(($tunable['value']/1024/1024)-1); + if ($tunable['value'] == 'default') + $maxsockbuf = '4262144'; + else + $maxsockbuf = $tunable['value']; + $so = floor(($maxsockbuf/1024/1024)-1); // Check to ensure that the number is not a negative - if ($so > 0) + if ($so > 0) { $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; - else - unset($optimization['so_rcvbuf']); - + $optimization['so_sndbuf'] = "so-sndbuf: {$so}m"; + } else { + $optimization['so_rcvbuf'] = "#so-rcvbuf: 4m"; + $optimization['so_sndbuf'] = "#so-sndbuf: 4m"; + } } } - // Safety check in case kern.ipc.maxsockbuf is deleted. - if(!isset($optimization['so_rcvbuf'])) - $optimization['so_rcvbuf'] = "#so-rcvbuf: 4m"; return $optimization; } @@ -694,7 +698,7 @@ function fetch_root_hints() { function unbound_validate($post, $type=null) { global $config, $input_errors; - if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) + if($post['enable'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; /* Validate the access lists */ @@ -741,7 +745,7 @@ function unbound_reconfigure() { $unbound_config = $config['installedpackages']['unbound']['config'][0]; - if ($unbound_config['unbound_status'] != "on") { + if ($unbound_config['enable'] != "on") { if(is_service_running("unbound")) unbound_control("termstop"); } else { @@ -820,30 +824,49 @@ function unbound_add_host_entries() { $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n"; } + $added_item_v4 = array(); + $added_item_v6 = array(); if ($config['interfaces']['lan']) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6("lan"); + if (is_ipaddrv6($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } } else { $sysiflist = get_configured_interface_list(); foreach ($sysiflist as $sysif) { if (!interface_has_gateway($sysif)) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip($sysif); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; - break; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6($sysif); + if (is_ipaddr($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } + if (is_ipaddr($cfgip) || is_ipaddr($cfgip6)) + break; } } } - $added_item_v4 = array(); - $added_item_v6 = array(); // DNSMasq entries static host entries if (isset($dnsmasqcfg['hosts'])) { $hosts = $dnsmasqcfg['hosts']; @@ -852,7 +875,7 @@ function unbound_add_host_entries() { foreach ($hosts as $host) { $current_host = ($host['host'] != "") ? $host['host'].".".$host['domain'] : $host['domain']; if (function_exists("is_ipaddrv6") && is_ipaddrv6($host['ip'])) { - if (!$added_item_v6[$curent_host]) { + if (!$added_item_v6[$current_host]) { $host_entries .= "local-data-ptr: \"{$host['ip']} {$current_host}\"\n"; $host_entries .= "local-data: \"{$current_host} IN AAAA {$host['ip']}\"\n"; $added_item_v6[$current_host] = true; diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 10de1f97..20f3d250 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -80,6 +80,9 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> </additional_files_needed> + <system_services> + <dns/> + </system_services> <tabs> <tab> <text>Unbound DNS Settings</text> @@ -106,7 +109,7 @@ <type>listtopic</type> </field> <field> - <fieldname>unbound_status</fieldname> + <fieldname>enable</fieldname> <fielddescr>Enable Unbound</fielddescr> <description>Enable the use of Unbound as your DNS forwarder.</description> <type>checkbox</type> diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index e488bc49..f4eaa140 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -25,6 +25,9 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +require_once("/usr/local/www/widgets/include/widget-snort.inc"); + global $config, $g; /* array sorting */ diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc index 105dd1e7..b9cfbeac 100644 --- a/config/widget-snort/widget-snort.inc +++ b/config/widget-snort/widget-snort.inc @@ -1,5 +1,10 @@ <?php require_once("config.inc"); + +//set variable for custom title +$snort_alerts_title = "Snort Alerts"; +$snort_alerts_title_link = "snort/snort_alerts.php"; + function widget_snort_uninstall() { global $config; diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index a6ea7f88..29edcc3f 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,7 +46,7 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.3.4</version> + <version>0.3.5</version> <title>Widget - Snort</title> <include_file>/usr/local/www/widgets/include/widget-snort.inc</include_file> <additional_files_needed> diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml index 55273a81..61e0f52f 100644 --- a/config/zabbix2/zabbix2-agent.xml +++ b/config/zabbix2/zabbix2-agent.xml @@ -41,7 +41,7 @@ <name>zabbixagent</name> <title>Services: Zabbix-2 Agent</title> <category>Monitoring</category> - <version>0.7</version> + <version>0.7_1</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Agent has been created/modified.</addedit_string> <delete_string>Zabbix Agent has been deleted.</delete_string> @@ -179,5 +179,5 @@ <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> - <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> + <custom_php_deinstall_command>php_deinstall_zabbix2_agent();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml index fcabedd9..d9402bac 100644 --- a/config/zabbix2/zabbix2-proxy.xml +++ b/config/zabbix2/zabbix2-proxy.xml @@ -41,7 +41,7 @@ <name>zabbixproxy</name> <title>Services: Zabbix-2 Proxy</title> <category>Monitoring</category> - <version>0.7</version> + <version>0.7_1</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> <delete_string>Zabbix Proxy has been deleted.</delete_string> @@ -137,5 +137,5 @@ <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> - <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> + <custom_php_deinstall_command>php_deinstall_zabbix2_proxy();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2.inc index 730ef873..34777387 100644 --- a/config/zabbix2/zabbix2.inc +++ b/config/zabbix2/zabbix2.inc @@ -42,38 +42,61 @@ function php_install_zabbix2(){ sync_package_zabbix2(); } -function php_deinstall_zabbix2(){ - global $config, $g; +function php_deinstall_zabbix2_agent(){ + global $config, $g; - conf_mount_rw(); - $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); - if ($pfs_version > 2.0){ - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); - } else { - define('ZABBIX_AGENT_BASE', '/usr/local'); - define('ZABBIX_PROXY_BASE', '/usr/local'); - } - - exec("/usr/bin/killall zabbix_proxy"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); - - exec("/usr/bin/killall zabbix_agentd"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); - - if (is_dir("/var/log/zabbix2")) - exec("/bin/rm -r /var/log/zabbix2/"); - if (is_dir("/var/run/zabbix2")) - exec("/bin/rm -r /var/run/zabbix2/"); - if (is_dir("/var/db/zabbix2")) - exec("/bin/rm -r /var/db/zabbix2/"); - conf_mount_ro(); + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); + } else { + define('ZABBIX_AGENT_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_agentd"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); + + if (!is_array($config['installedpackages']['zabbixproxy'])){ + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + } + + conf_mount_ro(); +} + +function php_deinstall_zabbix2_proxy(){ + global $config, $g; + + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + } else { + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); + + if (!is_array($config['installedpackages']['zabbixagent'])){ + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + } + + if (is_dir("/var/db/zabbix2")) + exec("/bin/rm -r /var/db/zabbix2/"); + + conf_mount_ro(); } function validate_input_zabbix2($post,&$input_errors){ |